2.4 Suricata inline nic recommendation



  • Hi all,

    I'm looking for a recommendation on a nic (probably intel) that is working under 2.4 for Suricata in inline mode.

    4 port preferably, 2 port at a pinch.

    Best regards

    Jon


  • Banned

    Unfortunately intel NICs do not work for inline mode right now (I don't know if they will in the near future).
    EDIT: it looks like PRO/1000's are now supported.

    Right now I believe only broadcom works, it has to do with nmap. And I believe that even with broadcom it breaks QoS if you use that.

    From what I've read inline mode only works in fringe cases as of right now. For the vast majority of users legacy mode is the only option.

    Hopefully EDIT: all intel NICs are supported for inline mode in the future as pretty much everyone uses intel or chelsio NICs (or probably should).

    As far as intel NICs go though, i340's are great and can be had for cheap used or as chinese knockoffs (that are reported to work great).
    i350v2's are newer, more expensive and use a smidgen more power. They have Ethernet power management and SR-IOV. If you don't need those then probably better off with an i340.



  • Thanks for this information. Very useful.

    Is this the case with 2.3.3 as well do you know?


  • Banned

    I did a little more reading on it as I use suricata and am interested in inline mode myself.

    It looks like there is some more support now (it was never a lack of support from pfSense, it's just whether or not the NIC drivers support netmap). I tried a few months ago and it immediately crashed my system (I use Intel PRO/1000 dual NIC).

    It looks like PRO/1000 (integrated & PCIe) and intel 10GbE are now natively supporting netmap in FreeBSD.
    There is also a comment from FreeBSD that NIC's not natively supported can still use netmap but with lower performance, I don't know how that translates to Suricata Inline though.

    NICs without native support can still be used in netmap mode through emulation. Performance is inferior to native netmap mode but still significantly higher than sockets, and approaching that of in-kernel solutions such as Linux's pktgen.

    Here's some of the new (to me) info that I found, I hope it's helpful:

    @bmeeks:

    Oh…and the crashing problem is almost certainly due to issues with specific NIC drivers and netmap.  It is also true that the first couple of releases of Suricata with the netmap inline mode had some internal problems on FreeBSD.  The folks on the Suricata side worked those out in subsequent releases.  One or more of those bugs could be biting you if you are using the 3.0.x Suricata binary.  The 3.1.2 version of Suricata (that's the binary version) that is available with the pfSense 2.4-BETA snapshots has all of those netmap fixes.

    @jwt:

    suricata 3.1.2 is now available on pfSense 2.3.2.

    @bmeeks:

    The new Suricata 3.0 package with Netmap inline IPS mode is now available for use with pfSense 2.3-BETA.  The package contains the latest Suricata 3.0 binary.  See this preview thread for general information about the new mode and some of the caveats – https://forum.pfsense.org/index.php?topic=108010.0.

    In order to use the new inline IPS mode you must have a network card driver that supports Netmap on FreeBSD.  Several of the popular drivers are currently supported.  Here is a link originally provided by user @mais_um in the pfSense 2.3-BETA sub-forum:  https://www.freebsd.org/cgi/man.cgi?query=netmap&apropos=0&sektion=4&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html#SUPPORTED_DEVICES.

    Once you verify your firewall contains a supported NIC driver on the interface you want to operate with inline IPS mode, then you need to make a change under System > Advanced > Networking and check the boxes to disable the following:

    • Hardware Checksum Offloading

    • Hardware TCP Segmentation Offloading

    • Hardware Large Receive Offloading

    So it looks like 2.3 should have current netmap support, I don't know if 2.4 BETA is any better? I'll try out inline on my 2.4.0 BETA system with dual PRO/1000 again and report back.

    I still want to suggest buying the best overall NIC and using legacy mode until your NIC is supported though. I say this because if you are OK with buying an eBay used/chinese NIC, then the price difference between an i340-t4 and a quad port PRO/1000 can be as little as $5. The i340 supports quite a few features that the PRO/1000 does not, but most importantly the PRO/1000 can suck down more power than modern Quad-core CPU's. Assuming $0.12/kWh on a 24 hour system, you could save up to $8/yr in electricity just by using an i340 over a PRO/1000.

    Obviously $8/yr is insignificant, but that combined with the fact that that the i340 is the better piece of hardware for only $5 more makes it a pretty easy buy.

    But if you need inline now, then it looks like PRO/1000 is the way to go unless you want 10GbE.

    https://ark.intel.com/compare/50495,49186,84805

    http://www.ebay.com/itm/Intel-Pro-1000-PT-Quad-Port-Server-Adapter-LP-PCIe-Full-Height-CPU-D61407-B-/292009229927?hash=item43fd1b3e67:g:fEoAAOSwLEtYf9k-

    http://www.ebay.com/itm/IBM-Intel-i340-T4-Quad-Port-PCI-e-Gigabit-Ethernet-Server-Adapter-94Y5167-FH-/381994475728?hash=item58f0a520d0:g:3K8AAOSw~AVYvxyc


  • Banned

    I tried Inline mode again, unfortunately it is still not working for me (PRO/1000 PT dual port and 2.4.0 Beta).

    I disabled Hardware checksum, tcp, and large receive offloading first, then switched suricata to inline mode. It immediately took all of my gateways down.

    Initially I was unable to access the webconfigurator or SSH. I manually rebooted the system and was able to access the webconfigurator, but all gateways were still down. Switched back to legacy mode and all was back to normal.

    I don't know what the issue is but it looks like suricata inline may still not be ready to go for most users (at least not me). Hopefully someone else can chime in and prove me wrong. I went ahead and ordered one of those IBM i340-t4 server pulls I linked though so I'll be waiting until that is supported (if ever) before I try inline mode again.



  • My card is supposed to be supported as well however it didn't alert at all, interfaces stayed up fine.


  • Banned

    Interesting, I've seen several posts of people that have inline mode working just fine. I'm sure it will be rock solid in the future, just needs some time.



  • I have a HP NC365T quad nic and seems to run (wan only)  in-line Suricata 3.1.2 on pfSense 2.3.3_1 fine. When I was running speedtest, I did get an Suricata alert "SURICATA STREAM excessive".