Suricata Inline Mode Problem
-
Enabling Suricata inline mode stops all WAN traffic. It usually happens within a couple minutes of restarting suricata in inline mode. It's a Protectli 4 port. 2.3.2-RELEASE-p1 (amd64). pfBlockerNG and APCUPSD are the only other packages installed. All packages show as current. All network hardware offloading is disabled. Wan interface is em0.
I've tried the following one at a time. The result is always total loss of internet until I change it back to legacy. I don't see any errors in the suricata log, firewall log, or general log.
- Disable all Suricata rules (un-select all WAN categories)
- Disabling pfBlockerNG
- Changing pfBlockerNG to floating rules
- Change max pending packets up and down
- Change Detect-Engine Profile
- Turned on/off Suricata pass list
- Changed Detect-Engine Profile
- Mucking with automatic SID management
Legacy mode seems to work fine. pfSense is otherwise performing well. Note that this is my first experience with pfSense and my background is a windows admin. My environment is running SMTP, HTTPS and OpenVPN.
-
We had terrible issues running Suricata inline until we changed our network card. We started with Intel X710 cards, but had to change to X520 cards. Now Suricata runs inline just fine. Not sure this is an option with the Protectli equipment, but hardware made the difference for us. Suricata just didn't work, at all, until the hardware change.
-
Inline mode with Suricata depends upon Netmap. Netmap only works with certain network hardware. That compatible hardware list has slowly been growing, but there are still loads of cards not yet supported. I don't know which network cards (and thus drivers) are or are not supported, but you should be able to find some hits on Google searching for "Netmap supported drivers" or something similar.
Bill
-
Thanks for the responses. The NICs are built into the board so I can't change them
The problem persists with Suricata 3.0_12. I'll keep poking at it.
-
Inline mode with Suricata depends upon Netmap. Netmap only works with certain network hardware. That compatible hardware list has slowly been growing, but there are still loads of cards not yet supported. I don't know which network cards (and thus drivers) are or are not supported, but you should be able to find some hits on Google searching for "Netmap supported drivers" or something similar.
Bill
Bill - I haven't found anything specific related to Netmap support for my NICs (4x Intel 82583V). I'll keep digging. Thanks again for the reply.
em0@pci0:1:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00
vendor = 'Intel Corporation'
device = '82583V Gigabit Network Connection'
class = network
subclass = ethernet
em1@pci0:2:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00
vendor = 'Intel Corporation'
device = '82583V Gigabit Network Connection'
class = network
subclass = ethernet
em2@pci0:3:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00
vendor = 'Intel Corporation'
device = '82583V Gigabit Network Connection'
class = network
subclass = ethernet
em3@pci0:4:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00
vendor = 'Intel Corporation'
device = '82583V Gigabit Network Connection'
class = network
subclass = ethernet
-
Not surprising. The latest 3.0_12 package just has two minor bug fixes within the GUI itself. The underlying Suricata binary is unchanged and remains at 3.1.2.
Netmap support will make it into more and more NIC drivers, but it will take a little time.
Bill
