Suricata enabled causes issues with remote locations

Short Version: I have Homesite and two remote locations all using OPNsense 19.1.6-amd64. All locations use PPPoE WAN, only want to enable Suricata on the home site. The remote sites connect through an OpenVPN server with xor patch, not a firewall server but on a separate VM on a VLAN. When Suricata IPS mode is enabled the remote sites seem to maintain a connection to VPN but no internet at either remote location LAN.

Long Version: I have three locations that are all using OPNsense 19.1.6-amd64 the Home location has the following networks.
◦ OpenVPN server with xor patch running on an Ubuntu server on IOT VLAN this how my other two sites connect.
• VPN Client

All LAN traffic with the exception of a few devices managed with aliases is routed through the VPN client. The IOT VLAN is on local ISP PPPoE WAN with the exception of the Ubuntu OpenVPN server which has a rule to use the VPN client as its gateway.

Site two and three are identical and look like this
• VPN Client to site one.

Everything is working fine, but I would like to enable Suricata. Currently, I have the service enabled, but IPS mode disabled on IOT, LAN, VPN interfaces. With the following rule sets selected and set to Drop.

• ET open/botcc
• ET open/botcc.portgrouped
• ET open/ciarmy
• ET open/dshield
• ET open/emerging-attack_response
• ET open/emerging-current_events
• ET open/emerging-dos
• ET open/emerging-exploit
• ET open/emerging-malware
• ET open/emerging-mobile_malware
• ET open/emerging-trojan
• ET open/emerging-worm

When I enable IPS mode everything keeps working at the Homesite but site one and two immediately stop working unless I disconnect them from VPN. I can’t keep IPS mode enabled long enough to see what might be causing the issue as phone calls start to come in as soon as I enable it.

Figured someone here might have run into something like this or know what my issue is. Could it be the patched VPN packets tripping Suricata to drop packets? Any advice?

I have posted this on opnsense forum but not much help yet.

Also here is a diagram of my network.

You should be able to set Suricata to warn and not drop. This should allow you to figure out what is causing the problem.

I’ve never used OPNsense, but in pfsense you have one check box that says “Checking this box enables Suricata inspection on the interface.” and another that says “Checking this option will automatically block hosts that generate a Suricata alert.”

I switched all the rules to “alert” rather than drop. Still killing all remote locations VPN connection. I’ll keep researching thanks for the reply.

That is really odd. I can’t think of a reason for that to happen.