Suricata, Netmap, Realtek

usual · Feb 28, 2017, 6:56 PM

Does suricata work with Realtek nic's?

Opnsense recently made the move to the official Realtek drivers and it is supposed to work.

Does it work in pfsense? Inline ips?

From searching the forum I can't get a clear I understanding.

If anyone knows for sure, I'd appreciate the confirmation one way or the other.

usual · Mar 1, 2017, 1:01 AM

I enabled suricata and ET rules with inline ips blocking.

I also enabled snort registered rules.

ET rules are triggering so that is great but it doesn't appear to be blocking anything even though the option is checked to block inline.

No snort rules have triggered yet.

Any idea what could be causing it not to block?

usual · Mar 1, 2017, 2:05 AM

SUCCESS! I see a rule blocked something.

Great news. None of the Snort rules seem to trigger but ET appears to be working and blocking.

I don't see how you unblock or whitelist an IP when using inline IPS blocking though.

Redyr · Mar 3, 2017, 12:12 PM

It's pretty easy, look in the Alerts tab, and you will have alerts for WAN and for LAN, you can whitelist by IP, or by Ruleset. If you hover your mouse pointer over the plus (+) sign I think, it will show you a description of the action it will take, if you click on it, which is whitelist. Try to play with pfSense at home or install it as a VM, after you understand the logic, it's pretty easy.

Inline mode doesn't permanently block an IP, only legacy mode does that. So there's no need to unblock an IP, only to whitelist the IP, or suppress the rule, if you have issues.

johnabbot · Mar 3, 2017, 7:46 PM

I've tried mine, a Realtek RTL8168B, handled by re(4) and it doesn't appear to work on 2.4

Does anyone have a recommendations for a card that is working well with inline under 2.4?

K · Nov 10, 2018, 9:35 PM

Hey there, I was searching on the forums and the web to see which network adapters support and work with inline mode - netmap.

I've found these and not sure if they're fixed in the current version.

Inline mode doesn't permanently block an IP, only legacy mode does that.
Inline mode breaks traffic shape, legacy mode doesn't
Inline mode breaks VLANs, legacy mode doesn't
Inline mode prevents packet leakage, legacy mode doesn't

Apparently there are only a sub-section of hardware that fully supports Netmap…
Netmap / FreeBSD has issues with Intel i340, i350/v2, i210, i211, i217 ,i219, PRO/1000, 82575/82576/82579/82580 and Realtek RTL8168B NIC's.

@bmeeks:

Netmap compatibility must exist at the software layer where the NIC driver meets the operating system…
There have been (and probably still are) some issues/bugs in both the FreeBSD implementation of Netmap and in Suricata's use of Netmap.

I have a Dell 0HM9JY Intel 82576 Gigabit ET quad port NIC (Intel PRO/1000 ET) and have the same error messages:


549.863394 [1071] netmap_grab_packets	bad pkt at 91 len 2164
549.864619 [1071] netmap_grab_packets	bad pkt at 95 len 2163
550.034152 [1071] netmap_grab_packets	bad pkt at 197 len 2164
550.035448 [1071] netmap_grab_packets	bad pkt at 199 len 2164

I have also turned off hardware-based checksums, TCP segmentation offloading and LRO (Large Receive Offloading), then reboot pfsense. Error still persists and doesn't seem to work properly or as intended.