Snort on LAN stops all VLAN traffic

firstone

pfSense is 2.5.0, Snort 4.1.3_2.

I have intel card. The problem is specifically with VLANs as LAN-WAN works fine. Enabling Snort on WAN doesn't cause the issue either.

bmeeks

VLANs are known to not work with the netmap kernel device, so not surprised you are having issues there.

Netmap is a very finicky beast, and it has grown a bit more so it seems with the release of FreeBSD 12.x and the move to iflib for the network drivers. Inline IPS Mode for both Snort and Suricata has to use the netmap kernel device, so any weirdness with that device is going to show up. And it will usually show up as rather severe network problems. If you want to use Snort on the parent VLAN interface, try using Legacy Mode there and not Inline IPS. Legacy Mode uses libcap instead of the netmap device.

firstone

Thank you.

Is there a way to emulate in-line behavior - as in - alert only by default and block based on explicit rules or SID? By default it blocks too much and too quickly. But where I can whitelist VOIP hosts, I don't know what to do with Ring. I can't whitelist all aws. Or, if I can, I probably shouldn't.

bmeeks

@firstone said in Snort on LAN stops all VLAN traffic:

Thank you.

Is there a way to emulate in-line behavior - as in - alert only by default and block based on explicit rules or SID? By default it blocks too much and too quickly. But where I can whitelist VOIP hosts, I don't know what to do with Ring. I can't whitelist all aws. Or, if I can, I probably shouldn't.

No, Snort does not offer an analog to inline IPS mode. Suricata does, if you wanted to try that. It has an option when using Legacy Mode blocking called "Block on DROPs Only" that can be enabled.

You whitelist hosts by adding them to a custom Pass List. You would create one on the PASS LISTS tab. Be sure to keep the auto-selected defaults there. You can add IP addresses or defined Aliases to the list when creating it. Once you have a list created, go to the INTERFACE SETTINGS tab for the interface and down in the Pass List drop-down selector choose the list you created and save the change. Restart Snort after applying the change so it will see the new list.

SteveITS

@firstone said in Snort on LAN stops all VLAN traffic:

whitelist VOIP hosts, I don't know what to do with Ring

I was lurking and happened to see this comment, check out this doc.

PabloAbonia

@bmeeks
I have had the same experience with the use of inline mode on LAN (igb0) and no immediate problems with inline mode on WAN, but have had some moderate problems with using inline mode on the VLANs themselves with what I think has been occasional loss of connectivity.

The one thing I can’t figure out how to do is how to remove VLAN_HWFILTER from igb0 as I am repeatedly seeing messages like:

096.746948 [4034] netmap_transmit igb0.# full hwcur 777 hwtail 895 qlen 905

This occurs in spite of disabling flow control, normal MTU = 1500, and not having settings such as vlanhwtso when checking ifconfig.

When I attempt ifconfig igb0 -VLAN_HWFILTER from the command line as suggested when setting up Snort, I get a message indicating “bad value”.

What am I doing wrong with the setup?

Thanks!

bmeeks

@pabloabonia said in Snort on LAN stops all VLAN traffic:

@bmeeks
I have had the same experience with the use of inline mode on LAN (igb0) and no immediate problems with inline mode on WAN, but have had some moderate problems with using inline mode on the VLANs themselves with what I think has been occasional loss of connectivity.

The one thing I can’t figure out how to do is how to remove VLAN_HWFILTER from igb0 as I am repeatedly seeing messages like:

096.746948 [4034] netmap_transmit igb0.# full hwcur 777 hwtail 895 qlen 905

This occurs in spite of disabling flow control, normal MTU = 1500, and not having settings such as vlanhwtso when checking ifconfig.

When I attempt ifconfig igb0 -VLAN_HWFILTER from the command line as suggested when setting up Snort, I get a message indicating “bad value”.

What am I doing wrong with the setup?

Thanks!

I don't think you are doing anything wrong. My opinion is that FreeBSD-12's change to the iflib wrapper for NIC drivers has introduced weirdness with the netmap device. Also note that netmap and VLANs are, generally speaking, fundamentally incompatible with each other. So if you are using VLANs, you are going to want those interfaces in Legacy Mode and not Inline IPS Mode.

Your most expedient resolution is to either switch to Legacy Mode Blocking, or move over to Suricata and use it's "Block on DROPs Only" option. But just be aware Suricata does not have the OpenAppID functionality if that is important to you.

PabloAbonia

Just to verify before changing back to LAN with legacy mode. You don't feel that disabling VLAN_HWFILTER as suggested by the message below would help? I am not certain that this setting refers to hardware level VLAN filtering and if may actually refer to frame filtering as noted in the ifconfig man page.

"NOTICE: When using Inline IPS Mode with VLAN interfaces, hardware-level VLAN filtering should be disabled with most network cards. Follow the steps in the Netgate documentation here to disable hardware VLAN filtering."

This message shows up every time I make a change to a Snort interface.

Myifconfig igb0 yields the following settings:
<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER>

Thanks!

bmeeks

@pabloabonia said in Snort on LAN stops all VLAN traffic:

Just to verify before changing back to LAN with legacy mode. You don't feel that disabling VLAN_HWFILTER as suggested by the message below would help? I am not certain that this setting refers to hardware level VLAN filtering and if may actually refer to frame filtering as noted in the ifconfig man page.

"NOTICE: When using Inline IPS Mode with VLAN interfaces, hardware-level VLAN filtering should be disabled with most network cards. Follow the steps in the Netgate documentation here to disable hardware VLAN filtering."

This message shows up every time I make a change to a Snort interface.

Myifconfig igb0 yields the following settings:
<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER>

Thanks!

The whole netmap-based inline IPS Mode has been a huge disappointment to me. At first it sounded great, but the implementation of netmap within FreeBSD has been, I will say diplomatically, "difficult to work with" at best. There have been at least three pretty big changes to the netmap device API over the years. Couple that with the move to iflib in FreeBSD-12, and you have a recipe for headaches.

Netmap does not work well with VLANs because the VLAN stuff is not passed up to it. Netmap also interferes with things like limiters, traffic shapers and even the basic packet throughput stats. So when you put an interface in netmap mode, you can kill a lot of other core functionality. I had no idea that was the case when I first added netmap compatibility to the Suricata package (and later to Snort).

So for users with a totally plain-vanilla pfSense setup with no VLANs, no limiters and no traffic shapers, Inline IPS Mode with Snort or Suricata can work okay. It's not fantastic, but is just okay. If you have VLANs, limiters, or shapers, or if you want things like throughput graphs to work, then Inline IPS Mode and netmap is not going to be a good fit. The more I've investigated reported user issues, the more I've learned about the inherent limitations of the netmap kernel device (at least in FreeBSD).

PabloAbonia

@bmeeks
Thanks for your insights!