Suricata won't stay on
-
The new multi-ring host stack code looks like it is trying to open more than one ring for the netmap pipe using the VLAN ID in the interface name. That's not going to work as that is not a valid netmap device name. You will need to switch to Legacy Mode Blocking for now, or else go to the INTERFACE SETTINGS tab and down in the section where you configure the blocking mode set the Threads parameter to 1 and save the change. Report back here how that works for you.
I'll have to think about how to handle this in the GUI code. Netmap Inline IPS Mode does not really use VLANs anyway because the IDs are not passed by netmap. Will probably either make use of VLANs unsupported in Inline IPS Mode, or else modify the Suricata instance to run on the parent interface only (which is what it actually does anyway, with VLAN interfaces).
-
@bmeeks Putting the thread count to 1 did not work. However, placing it in legacy mode fixed it, however.
I suppose I will just keep trying to re-place it back into in-line mode when new updates come out for suricata and/or pfsense.
Thank you for your help!
-
@danshi said in Suricata won't stay on:
@bmeeks Putting the thread count to 1 did not work. However, placing it in legacy mode fixed it, however.
I suppose I will just keep trying to re-place it back into in-line mode when new updates come out for suricata and/or pfsense.
Thank you for your help!
I've submitted an update for the GUI package, but it may be a few days (or even more) before it gets merged. I suspect the Netgate team is busy these days readying the pfSense+ 21.09 release.
The fix will automatically run VLAN Suricata interfaces on the VLAN's parent interface.
-
@bmeeks I updated to Suricata 6.0.3_3 and it allowed me to swap back to in-line mode.
-
@danshi said in Suricata won't stay on:
@bmeeks I updated to Suricata 6.0.3_3 and it allowed me to swap back to in-line mode.
Good deal! Thanks for the feedback. I changed the code so that for VLANs it runs the Suricata instance on the parent interface. That means, though, there is no reason to run a Suricata instance on every VLAN. Run it on just one, and because it will actually monitor the parent, it will see all traffic on the interface (including all of the defined VLANs).
-
@bmeeks I sounded the all clear too early. Pfsense still kept crashing afterwards with in-line mode (took a restart to realize). Swapped both VLANs to legacy again.
I do not understand what you mean about Suricata running on one VLAN. But here is what I'm doing:
I have 4 VLANs, I'm running Suricata on 2 VLANs. So:
- WAN: Nothing
- LAN: Nothing
- VLAN1: Surciata legacy mode
- VLAN2: Suricata legacy mode
- VLAN3: Nothing
- VLAN4: Nothing
-
@danshi said in Suricata won't stay on:
@bmeeks I sounded the all clear too early. Pfsense still kept crashing afterwards with in-line mode (took a restart to realize). Swapped both VLANs to legacy again.
I do not understand what you mean about Suricata running on one VLAN. But here is what I'm doing:
I have 4 VLANs, I'm running Suricata on 2 VLANs. So:
- WAN: Nothing
- LAN: Nothing
- VLAN1: Surciata legacy mode
- VLAN2: Suricata legacy mode
- VLAN3: Nothing
- VLAN4: Nothing
Don't run Suricata on the VLANs at all. Run it on the parent interface. So what interface are those VLANs defined on? If it's the LAN physical interface, then that's the interface you want to run Suricata on. If OPT1, then run it on OPT1.
-
@bmeeks That suggestion won't work with my use case. Two of those VLANs are my work and IoT VLANs and block and generate too many alerts. I ran into issues not be able to do my job fully as I work from home; I moved it to just my VLANS with my personal devices on it. Therefore I can't run it on the parent.
It has worked before for over a year, something changed with an update for pfsense or suricata as I have not changed any hardware or drivers.
-
@bmeeks Forgot to mention that even having it enabled on 1 VLAN currently with inline mode is causing it to crash. Have to do legacy even with just 1 enabled.
-
@danshi said in Suricata won't stay on:
I moved it to just my VLANS with my personal devices on it. Therefore I can't run it on the parent
You missed that "[He] changed the code so that for VLANs it runs the Suricata instance on the parent interface."
Run it once on the parent (instead of twice), and add the subnets you don't want scanned to a Pass List. (and assign the pass list to Suricata on the parent, and restart Suricata).
-
