Suricata or Snort Interferes with Traffic Graph!
-
@bmeeks Well, Bill I tweaked until I am blue ... still no graphs, so I am concluding the issue is the Intel NIC i350 and the way it behaves with Netmap as I had no issue with the Intel NIC 82575-T2. I have also contacted the Netmap developer to see whether he could offer any suggestion. The traffic graphs were really for show ... I can live without it.
-
Different NIC models sometimes use different drivers, and the various drivers have varying degrees of support for
netmap. Some have none, some have a little, and a few are 100% supportive. It is usually left to the hardware vendors who write the drivers to provide thenetmapdevice support. Sometimes thenetmapdevelopers will port support fornetmapto a FreeBSD driver. -
@bmeeks Hey Bill, discovered that the i350NIC is using this driver (<Intel(R) PRO/1000 PCI-Express Network Driver> mem 0xa1000000-0xa10fffff,0xa1104000-0xa1107fff at device 0.0 on pci7) and Intel released a newer driver for the i350 on January 23, 2020.
Do you know the steps to update the driver? Searched and the only thing I found was this image below despite the EM interface. I wish there was an easy way to update drivers, especially when one is a MAC person and had been spoilt.
-
You can't compile the driver on your firewall. The necessary development tools are not there.
The proper way would be to create a FreeBSD 11.3/STABLE machine (virtual machine is fine) and install the development tools on it. You would need to Google how to do all of that. Then you could compile the driver into a kernel module suitable for loading on pfSense.
Some folks have already done that for one of the Realtek NIC drivers. Their progress is documented in this thread: https://forum.netgate.com/topic/135850/official-realtek-driver-binary-1-95-for-2-4-4-release/. Note they started out using pfSense-2.4.4_p3 (so FreeBSD 11.2/RELEASE), but some posts near the end talk of switching to FreeBSD 11.3/STABLE.
-
It's not the same. The module for realtek is different, it's not compiled inside the kernel so you can compile it as a module and load it inside pfsense. The problem with intel is that it is compiled inside the kernel and you can't compile a new version as a module without rebuilding the entire kernel.
̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
Please do not use chat/PM to ask for help
we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
Don't forget to Upvote with the 👍 button for any post you find to be helpful. -
@kiokoman said in Suricata or Snort Interferes with Traffic Graph!:
It's not the same. The module for realtek is different, it's not compiled inside the kernel so you can compile it as a module and load it inside pfsense. The problem with intel is that it is compiled inside the kernel and you can't compile a new version as a module without rebuilding the entire kernel.
Ah! I stand corrected. Did not realize that. Thought you might could choose either route (module or native).
-
@kiokoman said in Suricata or Snort Interferes with Traffic Graph!:
The problem with intel is that it is compiled inside the kernel and you can't compile a new version as a module without rebuilding the entire kernel.
That's what I am learning ... so, it would be interesting to learn how to compile ... just have to many things on the fire cooking. Hope it gets into FreeBSD 12.1 before releasing 12.2beta. I have a feeling it's maybe more how Netmap and Snort work causing the traffic graphs issue.
-
@NollipfSense said in Suricata or Snort Interferes with Traffic Graph!:
I have a feeling it's maybe more how Netmap and Snort work causing the traffic graphs issue.It is the
netmapdevice that is the root cause. If the traffic graphs are important to you, switch over to Legacy Blocking Mode and they will return to operation. Legacy Mode does not use thenetmapdevice, and thus those internal FreeBSD networking plumbing changes required bynetmapdo not happen and therefore traffic graphs can work. -
@bmeeks Okay Bill, I heard from the Netmap developer who stated that "with FreeBSD12, Intel NICs switched to iflib as a driver, and this had an impact on netmap, because now netmap support for these NICs is directly provided by iflib."
My hope is that pfSense developers will make sure that all NIC drivers will be updated for 2.5 release. As I had stated I can do without the fancy traffic graphs during the beta testing ... for the release, it must be fully functioning.
-
@NollipfSense said in Suricata or Snort Interferes with Traffic Graph!:
@bmeeks Okay Bill, I heard from the Netmap developer who stated that "with FreeBSD12, Intel NICs switched to iflib as a driver, and this had an impact on netmap, because now netmap support for these NICs is directly provided by iflib."
My hope is that pfSense developers will make sure that all NIC drivers will be updated for 2.5 release. As I had stated I can do without the fancy traffic graphs during the beta testing ... for the release, it must be fully functioning.
I wouldn't depend too much on the pfSense team tackling netmap compatibility in a NIC driver. They use what comes in with FreeBSD pretty much as-is. If you want to lobby for good netmap support in a NIC driver, better to go upstream and open a ticket with the FreeBSD team directly. I'm not familiar with that particular driver and have not researched it, but in some cases the manufacturers write and support drivers for various operating systems and not the developer team of the particular OS.
-
@bmeeks said in Suricata or Snort Interferes with Traffic Graph!:
I wouldn't depend too much on the pfSense team tackling netmap compatibility in a NIC driver.
No, no ... that's not what I am saying and not their responsible. What I am saying is that as a firewall developer, pfSense should make sure NIC drivers are updated as that is the essence of offering a good firewall platform.
-
HOORAY ... traffic graphs are working; so. I wonder whether FreeBSD 12.1 stable has the latest Intel i350 NIC ... will check later!
-
Okay, I see why traffic graphs are working ... Netmap broke!
-
@NollipfSense said in Suricata or Snort Interferes with Traffic Graph!:
Okay, I see why traffic graphs are working ... Netmap broke!
What kind of Netmap errors do you see? Is there anything in any error messages about using the wrong Netmap API?
Just wondering because a Snort user on pfSense-2.5 testing the new Inline IPS Mode reported netmap is broken there and gives a "wrong API" error.
This will be from the recent move to FreeBSD-12.1 for pfSense-2.5 snapshots. Will work on getting it sorted out, but may take some time.
-
A Redmine Bug Report has been created to track this issue. Thanks for reporting it.
