14 days for testing

Hello,
I have 14 days max for testing of new turris omnia router. Can you help me please? I need to know two things:

  1. Can I install entire system on mSATA drive? I’m affraid of too intensive writes to eMMC followed by its failure. Or is that only needed for LXC containers? I just want to be 100% sure that it won’t fail few years from purchase.

  2. Can I run suricata / snort on turris omnia? Does it have enough computing power? Can I also process and visualize collected data or do I have to offload it e.g. to virtual machine (with Elasticsearch and Kibana) on my PC?

And most important: are there any documents which will help me achieve these goals?

Thank you in advance.

Did you yet take a look at

?


yes.


Both are provided by OpenWrt, former though not the version 5.x due to lack of rust support in OpenWrt.

But you’ll lose the ability to perform the 3-LED and 4-LED reset (i.e. rollback to previous/factory snapshot when something goes wrong). But it’s possible this limitation will be overcome in the future.

I suggest you to read through Writing to mmcblk0p1 concerns , where a forum user did monitor eMMC writes and it seems they managed to track down the last thing that was periodically writing to it.

Of course, if you want to store suricata logs permanently, you’ll need a device to write them to. The router tries to move all this data-intensive stuff to folder /srv, and there is a Foris plugin called “Storage” (installed by default) that makes it easy for you to select an external drive and move all things from /srv to this drive. If you set it up correctly, all periodic or intensive writes should be on the external drive.

Yes I tried to get acquaint with the documentation as fast as possible (it’s only few days since I decided to buy the Omnia and I just hit a sale so it’s on the way to me not leaving much time to learn before it arrives). I tried to search the forum but found no step by step howto.

I found this for example:


but it seems somehow unfinished to me.

As for installing entire system on mSATA I found nothing and I’m not even sure if that is needed or if it’s unnecesarily paranoid. :slight_smile:

Thanks for the hint. :+1: I’ll check it out. :slight_smile:

As for the snort / suricata: I know I can install them using package system. But I need to know whether the Omnia has enough horsepower to run them smoothly.

Second thing I have to solve is how to configure VM on my notebook (which will not always run) to pull data from mSATA drive installed in the Omnia and then make Elastic and Kibana (running on that VM) to process this data.

I guess it’s something I cannot achieve in 14 days (after coming home from work) but I would like to know if that’s feasible at all.

There is no general answer to that, being rather use case specific:

  • upstream bandwidth
  • utilisation of available bandwidth at any given time and interval
  • amount of IDS rules to be processed
  • router being utilised for running apps outside of a typical/sole router deployment scheme

Less available bandwidth, lower utilisation of the available bandwidth and less IDS rules to process are less likely to cause a CPU cycle bottleneck.

Suricata is installed as a part of the Pakon (parental control) package:

obrazek

Generally, I haven’t noticed any moments when suricata would take up more than a few percent of the CPU. And the cpu has two cores at 1 GHz. It’s not that slow :wink:

And this is where you should look for the instruction on installation to external drive: https://wiki.turris.cz/doc/en/howto/omnia_booting_from_external_storage .

Many thanks.

So I guess you are using Pakon. Do you also run a SELKS environment to process data? If yes are you running it on your Omnia as one of LXC containers or for example on your laptop? Or are you just using interface for Pakon integrated into Foris web GUI?

Can I use Pakon integrated suricata as an IPS or just as an IDS? I mean I know I can use Pakon to block my devices from accessing evil web sites (facebook, twitter, google… :grin:) but can I use full potential of suricata and e.g. Emerging Threats rules for advanced network protection?

No, I don’t do anything advanced with the suricata data. I just give them to Pakon to provide me with some statistics.

I’m not sure if you’ve stumbled upon one of the most interesting features of the turris routers - the distributed dynamic firewall. In Turris OS 3.x (“oldstable”), it was based on ucollect, in Turris OS 5.0 (“stable”) it is based on a custom data collection system called Sentinel. It collects various threat data, which are processed by CZ.NIC and they distill firewall rules which are then dynamically distributed to all turris routers. I’m not sure if these systems cooperate with suricata or not, but I think it’s possible. However, Sentinel is probably not a full IDS/IPS solution.

Yes, I’ve read about this feature and though CZ.NIC guys are definitely the very good ones I try to avoid sharing (even anonymized (sometimes poorly as e.g. the Avast! data collection affair showed)) my data. Plus I want to learn more about the SELKS. :blush:

But after reading all hints provided in this thread it may not be such a problem. I’ll just install suricata, store all its logs on mSATA, install VM with SELKS on my laptop and make it pull logs from Omnia. The only thing I have to solve is to configure the Omnia side to buffer data which cannot be sent immediately to SELKS and the SELKS side to process it. That would be all for the suricata in IDS mode.

Runing suricata in IPS mode will be another thing to solve.

Anyways thanks a lot for your and mrs.crox’s help. Tomorrow will be the D day. :smiley:

Just in case would want to venture to

do not follow the

since that wiki entry pertains to the u-boot version 2015 that shipped from factory with earlier boards whilst the Omnia 2019/20 boards are shipping with u-boot version 2019 and things are bit different. Nonetheless, it can be done just not with those instructions.

Haven’t known that. Has anyone written the correct instructions for the new u-boot?

To keep things simple I guess first I’ll just move the /srv directory to SSD. Moving entire system to SSD will be one of things I can do after I decide to keep the Omnia.

As for the suricata I found this interesting howto:

Yes, you can. eMMC is not suitable for LXC.

Yes, you can. For these usage use LXC.

What exactly is wrong with this howto? Can you provide more accurate one? Thanks.

Suppose it is best done by the device manufacturer since they provide the current manual as part of their official old documentation tree and know best about the bootloader that ships with their devices.


Mainly the boot-manager command btrload is a legacy/depreciated with the 2019 u-boot version https://gitlab.nic.cz/turris/user-docs/-/issues/66.

As we can see, @Pepe considers in the https://gitlab.nic.cz/turris/user-docs/-/issues/66 the description of booting from SSD for Omnia 2019+ as community task and closed the request.
To be honest, when we know that there are happening unwanted writes to emmc, I’d expect that some Turris team member should invest an hour of his time and make updated description of “how to boot from SSD for Onia 2019+” so all users who are worried about their emmc could mitigate the risk. Any other opinions welcome…

the reasoning seems to be a mishap of sorts since the article in question is provided under the manufacturer’s own (old) document tree (https://doc.turris.cz/doc/en/howto/start) and not the community document tree (https://doc.turris.cz/doc/en/public/start)

So I moved /srv folder and log files for suricata and syslog to SSD. Do I still have to worry about eMMC wear?