Snort Inline IPS mode and HAProxy Issue

kiekar

Hello,

I created a new install of pfsense 2.5.0 from scratch. I have HAProxy installed for my DMZ network. I installed Snort 4.0 and created on interface on the DMZ interface (igb3) using the inline IPS mode introduction and configuration instructions.

After starting the interface I noticed immediately that by haproxy backend went offline. When I shut down the dmz interface the haproxy backend goes back online.

Any ideas why this is happening. Any help would be much appreciated.

Below is the system logs starting and stopping the service.

Mar 1 07:17:35	php-fpm	53221	Starting Snort on DMZ(igb3) per user request...
Mar 1 07:17:35	php	70409	[Snort] Updating rules configuration for: DMZ ...
Mar 1 07:17:35	php	70409	[Snort] Enabling any flowbit-required rules for: DMZ...
Mar 1 07:17:35	php	70409	[Snort] Enabling any flowbit-required rules for: DMZ...
Mar 1 07:17:35	php	70409	[Snort] Building new sid-msg.map file for DMZ...
Mar 1 07:17:35	php	70409	[Snort] Snort START for DMZ(igb3)...
Mar 1 07:17:36	kernel		igb3: link state changed to DOWN
Mar 1 07:17:36	check_reload_status	376	Linkup starting igb3
Mar 1 07:17:37	kernel		057.369234 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload
Mar 1 07:17:37	php-fpm	53221	/rc.linkup: Hotplug event detected for DMZ(opt1) static IP (172.16.0.1 )
Mar 1 07:17:37	check_reload_status	376	Reloading filter
Mar 1 07:17:39	check_reload_status	376	Linkup starting igb3
Mar 1 07:17:39	kernel		igb3: link state changed to UP
Mar 1 07:17:39	kernel		059.470734 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload
Mar 1 07:17:40	php-fpm	94309	/rc.linkup: Hotplug event detected for DMZ(opt1) static IP (172.16.0.1 )
Mar 1 07:17:40	check_reload_status	376	rc.newwanip starting igb3
Mar 1 07:17:40	check_reload_status	376	Reloading filter
Mar 1 07:17:40	kernel		060.470551 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload
Mar 1 07:17:41	php-fpm	94309	/rc.newwanip: rc.newwanip: Info: starting on igb3.
Mar 1 07:17:41	php-fpm	94309	/rc.newwanip: rc.newwanip: on (IP address: 172.16.0.1) (interface: DMZ[opt1]) (real interface: igb3).
Mar 1 07:17:41	check_reload_status	376	Reloading filter
Mar 1 07:17:41	kernel		061.119274 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload
Mar 1 07:17:42	kernel		062.055664 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload
Mar 1 07:17:43	kernel		063.437239 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload
Mar 1 07:17:44	kernel		064.116558 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload
Mar 1 07:17:45	kernel		065.441235 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload
Mar 1 07:17:46	php-fpm	53221	Stopping Snort on DMZ(igb3) per user request...
Mar 1 07:17:46	php-fpm	53221	[Snort] Snort STOP for DMZ(igb3)...
Mar 1 07:17:46	kernel		066.441202 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload
Mar 1 07:17:46	snort	73713	*** Caught Term-Signal
Mar 1 07:17:46	check_reload_status	376	Linkup starting igb3
Mar 1 07:17:46	kernel		igb3: link state changed to DOWN
Mar 1 07:17:47	php-fpm	338	/rc.linkup: Hotplug event detected for DMZ(opt1) static IP (172.16.0.1 )
Mar 1 07:17:47	check_reload_status	376	Reloading filter
Mar 1 07:17:49	check_reload_status	376	Linkup starting igb3
Mar 1 07:17:49	kernel		igb3: link state changed to UP
Mar 1 07:17:50	php-fpm	339	/rc.linkup: Hotplug event detected for DMZ(opt1) static IP (172.16.0.1 )
Mar 1 07:17:50	check_reload_status	376	rc.newwanip starting igb3
Mar 1 07:17:50	check_reload_status	376	Reloading filter
Mar 1 07:17:51	php-fpm	339	/rc.newwanip: rc.newwanip: Info: starting on igb3.
Mar 1 07:17:51	php-fpm	339	/rc.newwanip: rc.newwanip: on (IP address: 172.16.0.1) (interface: DMZ[opt1]) (real interface: igb3).
Mar 1 07:17:51	check_reload_status	376	Reloading filter

bmeeks

Many FreeBSD networking features are incompatible (or at least buggy) when the netmap kernel device in FreeBSD is active. Inline IPS Mode on both Snort and Suricata uses the built-in FreeBSD netmap kernel device.

The first easy thing I would check is to be sure you have all of the network hardware offloading features set to "Disabled" on the SYSTEM > ADVANCED > NETWORKING tab. I see some mbuf checksum errors in your log snippet. Not saying that will for sure fix it, though. But when using the IPS Inline Mode, you need to disable all hardware offloading.

Another weirdness that happens with the netmap device is when it is activated or deactivated it will bring the interface "down" and then "up". So each time Snort starts or stops, you will see messages in the system log about the interface going down and coming back up. This might upset other software pieces monitoring that interface.

I'll say this here primarily for the benefit of others that may come across this thread.

Snort and Suricata, when using Inline IPS Mode operation, work best on a totally plain-vanilla firewall setup. No HA Proxy, no Traffic Shaping/Limiters and no LAGG interfaces. Even some VLAN setups can cause weirdness. Adding any of these things can lead to various "problems" when using Inline IPS Mode with either of the two IDS packages.

kiekar

@bmeeks

Hello and Thanks for your reply. All three off the check boxes are disabled per the configuration instructions.