Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata inline mode with VPN IF produces WAN down symptom [Resolved]

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 1 Posters 804 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Preacher22
      last edited by

      Using 2.3.4-RELEASE-p1 (amd64) on bare metal
      Suricata version 3.2.1_2
      Intel PRO/1000 PT Quad Port Server Adapter (82571)  which is present here https://www.freebsd.org/releases/10.3R/hardware.html#ethernet
      Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz
      Current: 2700 MHz, Max: 2701 MHz
      4 CPUs: 1 package(s) x 4 core(s)
      Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
      Memory: 64050 MiB

      So I've been troubleshooting this problem casually for long while but I'd like to see it resolved at this point as the metal this appliance runs on was spec'd with inline mode in mind.

      That said, when starting suricata with an interface configured with inline mode while a VPN interface exists the wan IP will change to 0.0.0.0 and multiple services will stop, no traffic passes, the web portal is extremely slow to respond (30 seconds or so). CPU usage while this is happening is nominal (low), RAM usage is nominal (low), disk usage, /tmp, /var all nominal (low).

      For the log file below, suricata was configured on (but disabled by configuration on) several interfaces including a VPN interface. Only the WAN interface had suricata enabled with inline mode enabled for the problem to manifest. I'm using default or conservative suricata interface settings for troubleshooting. (detection engine settings section: 1024, low, auto, auto, 3000, default, default)

      The issue does not occur in legacy mode

      Jul 24 22:04:10 kernel: arpresolve: can't allocate llinfo for <wanip>on em0
      Jul 24 22:04:10 check_reload_status: Reloading filter
      Jul 24 22:04:10 kernel: em0: link state changed to UP
      Jul 24 22:04:10 check_reload_status: Linkup starting em0
      Jul 24 22:04:09 php-fpm[43105]: /rc.linkup: DEVD Ethernet detached event for wan
      Jul 24 22:04:08 check_reload_status: Linkup starting em0
      Jul 24 22:04:08 kernel: em0: link state changed to DOWN
      Jul 24 22:04:08 kernel: em0: permanently promiscuous mode enabled
      Jul 24 22:04:08 kernel: 048.421904 [1233] netmap_mem_global_config reconfiguring
      Jul 24 22:04:06 dhcpleases: kqueue error: unkown
      Jul 24 22:04:06 dhcpleases: Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process.
      Jul 24 22:04:06 dhcpleases: /var/etc/hosts changed size from original!
      Jul 24 22:04:04 syslogd: kernel boot file is /boot/kernel/kernel

      I'm a troubleshooter monkey by trade so you'll need to be patient/verbose with me while assisting me with this issue, if I may ask.

      Please let me know what additional information I can provide you with to assist in resolving this issue. I would be grateful!

      Thanks very much for your time!!

      Cheers,</wanip>

      1 Reply Last reply Reply Quote 0
      • P
        Preacher22
        last edited by

        So, I know that Netmap is used with inline mode and it is problematic.

        I have noticed that Inline mode appears to work fine with the VPN interface removed. Is this a problem with the NIC (drivers) that can be alleviated with a different NIC? Or is it the case that inline mode (netmap) with a VPN interface simply doesn't play nice with each other. Any plan to move away from netmap in the works or some other update which should allow inline mode to work with a vpn interface? (Freebsd driver compatibility update, Suricata version update, pfsense version update)

        If there's a NIC whose drivers play nice with netmap, I'll just buy the NIC but some input from the more knowledgeable folks here would be appreciated prior to throwing more money at this problem.

        Thanks in advance for your time!

        1 Reply Last reply Reply Quote 0
        • P
          Preacher22
          last edited by

          Just an update for anyone who is interested… my hardware has not changed and this issue is now resolved for me on pfSense 2.4.2 / suricata 4.0.1 - I believe it was resolved with 2.4.1 but was now able to confirm

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.