Suricata Inline and VLANs

oben

I have 2.3 running behind my main router and pfSense WAN is on a /30 network on one of its ethernet ports.

pfSense hosts a number of networks segregated by VLANs and each runs a DHCP server.

My wireless access points come through the main router and therefore enter via the pfSense WAN.

I run Inline mode on the WAN port  and the wireless clients  receive addresses.

When I in addition run Inline on the LAN port which carries the VLANs then the clients on the VLANs no longer get addresses.

When I disable Suricata on the LAN then it all works again.

I think this is because the Inline mode is stripping VLAN tags and therefore the packets are not arriving at the DHCP server?

Is this expected behaviour?

bmeeks

As I've mentioned before, inline mode uses the relatively new netmap API.  This API lets programs establish pipes between the network card driver layer and the rest of the system.  All packets coming and going to the NIC driver must pass through the netmap pipe.  This is a high-speed pipe.  The technology is still new, though, and it appears to interfere with and/or break some other older native processes.  I don't really know why or how since I'm not a kernel-level developer.  I do know users say traffic shaping is broken when inline mode is enabled (meaning netmap is in use).  You are reporting issues with VLANs.  Since turning off Suricata when in inline mode cures your VLAN problem, that would strongly suggest an unfavorable reaction to netmap is going on there as well.

I know this is likely not the sort of answer you would hope for.  I wish I had a quick and handy solution, but I don't at the moment.  For the short term as these various netmap inconsistencies are researched and fixed, you could run Suricata in the legacy blocking mode on interfaces where inline mode is giving troubles.

Bill

Gemnon

Had the same issue, seems like disabling VLAN_HWTAGGING on the interface what Suricata watching solves this issue.

ifconfig em0 -vlanhwtag

No idea how to make it permanent though.

fmu

I have very similar issue, but no (obvious) relation to VLAN for me.
When suricata runs in inline ips mode on LAN interface, dhcp clients on that segment do not get dhcp leases anymore. for other (e.g. opt1) interfaces still working (w/ suricata in between).
No VLAN tagging active.
I also cannot find any drop/block logs anywhere so far which would explain the behaviour.
Any idias?
TIA
udo.

bmeeks

@fmu:

I have very similar issue, but no (obvious) relation to VLAN for me.
When suricata runs in inline ips mode on LAN interface, dhcp clients on that segment do not get dhcp leases anymore. for other (e.g. opt1) interfaces still working (w/ suricata in between).
No VLAN tagging active.
I also cannot find any drop/block logs anywhere so far which would explain the behaviour.
Any idias?
TIA
udo.

If Suricata drops a packet while operating with Inline Mode, then you will see the alert on the ALERTS tab hightlighted in red text.  If you don't see anything there, then Suricata likely did not drop the packet.

Inline Mode does not like shapers nor VLANs in addition to being pickey about supported NICs.  All of this is due to the reliance on Netmap to implement the high speed pipeline between the NIC and the rest of the system.

Bill

moikerz

@bmeeks:

Inline Mode does not like shapers nor VLANs in addition to being pickey about supported NICs.  All of this is due to the reliance on Netmap to implement the high speed pipeline between the NIC and the rest of the system.
Bill

I wish these kinds of caveats were more easily listed somewhere. I was all set to go for Suricata(inline) but this is a show-stopper. Is there a resource I can look up these kinds of features & limitations?

bmeeks

@moikerz:

@bmeeks:

Inline Mode does not like shapers nor VLANs in addition to being pickey about supported NICs.  All of this is due to the reliance on Netmap to implement the high speed pipeline between the NIC and the rest of the system.
Bill

I wish these kinds of caveats were more easily listed somewhere. I was all set to go for Suricata(inline) but this is a show-stopper. Is there a resource I can look up these kinds of features & limitations?

It is mentioned in a number of threads in this IDS/IPS sub-forum.  The pfSense developers have a long-range plan to fix some of the issues.  There is a ticket in Redmine about shapers and Netmap I think.  Some of the problems are NIC driver related and thus fall back to FreeBSD upstream to address.  I think some of the shaper and VLAN stuff might be related to kernel patches in pfSense, but I'm not an expert in that area and could be wrong on that one.

Bill

moikerz

I think you just need a sticky thread, bmeeks ;)

Just voicing a small frustration that after figuring out the benefits of Suricata (having been using Snort), and then having stumbled across the VLAN incompatibility almost by chance, putting the brakes on Inline configuration. All good other than that. I appreciate that you're actively responding in this forum!

juppin

@Gemnon:

ifconfig em0 -vlanhwtag

With package "shellcmd" it is possible to apply it every boot up.

I use the standard "shellcmd" type an it is working perfectly.

Thanks to Gemnon