Suricata inline mode occasionally drops all traffic for interface under load
-
This post is deleted! -
You are almost certainly hitting a Netmap compatibility problem. Could be the higher interrupt rates that come with higher traffic rates, but also could be other buffer-related problems. Netmap on FreeBSD, and then Netmap on FreeBSD within Suricata, are both still maturing technologies. Translated to plain English that means expect some bugs to still be present.
I have tested Suricata inline mode with em0 virtual NICs on VMware Workstation VMs and it works, but I have not tried high traffic rates. I don't really have a good way of simulating realistic loading in my simple home lab. I have not tested Inline IPS Mode on ESXi virtual machines.
Bill