Suricata enabled = WAN connection disabled

awsiemieniec

2.3.1-RELEASE-p5 (amd64)
built on Thu Jun 16 12:53:15 CDT 2016
FreeBSD 10.3-RELEASE-p3
suricata 3.0_7

Fresh install of Suricata - never before on this build.  As soon as I enable the WAN interface checking it completely drops my WAN connection to my ISP.  Nothing logged in the "Alerts" (drop) tab.  Disabling and rebooting re-establishes the WAN interface.

Hardware is a Supermicro SuperServer 5015A-EHF-D525 using the "em" drivers.

When Suricata is enabled the UI of pfSense runs like cold molasses - very slow to navigate between the menus.

Ideas?

Thanks.

Tantamount

The current version is broken.  We're waiting for the freebsd package folks to release the newest version.

awsiemieniec

@Tantamount:

The current version is broken.  We're waiting for the freebsd package folks to release the newest version.

Thank you for the info.

bmeeks

You didn't say in the original post, but were you using Legacy Mode blocking or the new Inline IPS mode?

The Inline IPS mode is problematic on some hardware because of some bugs in the Netmap layer.  Some users have inline IPS running OK, but some have issues just like yours.  There are some Netmap fixes in the next Suricata version that we are waiting on the FreeBDD ports maintainer to post to the FreeBSD ports tree.

So far as I know, Legacy Mode blocking still works for anyone on any hardware that pfSense will run on.

Bill

Gemnon

I have a similar issue and not want to open a new topic for it, if this is the reason.

Here Suricata on an Interface (with VLANs) i Inline mode kills VLAN traffic completely (while untagged traffic seemed to be filtered by suricata), wodering if the reason is the same, or completly different.

bmeeks

@Gemnon:

I have a similar issue and not want to open a new topic for it, if this is the reason.

Here Suricata on an Interface (with VLANs) i Inline mode kills VLAN traffic completely (while untagged traffic seemed to be filtered by suricata), wodering if the reason is the same, or completly different.

I would guess it is related.  There were several bug fixes made in the Netmap module in Suricata, and some were for FreeBSD specifically.  You can search the Suricata redmine bug site at https://redmine.openinfosecfoundation.org/projects/suricata to see what was fixed and what is still open.

Netmap and inline mode is new for Suricata, FreeBSD and pfSense.  There will be some bumps in the road as the technology is ironed out.

Bill

awsiemieniec

sorry - been a while since I check on this thread.

I was using Inline IPS mode via the em drives.

I can try the legacy mode tonight.  thanks!