NIC's with Suricata Inline mode



  • Can we please post in this thread the NIC make and model of users who successfully have Suricata Inline working without any errors.
    Also post any tunables, if used, associated with that NIC as well.

    Thanks, this thread will be a great help to all of us.



  • None, Do not use inline mode.



  • I guess ntct is correct. The overwhelming response shows it. I guess no one has it working without errors. I am turning Inline off.
    PFsense is not a completely effective firewall solution without inline working. Attacks have full access until the snort table gets around to denying the offending IP.



  • @whizzy:

    I guess ntct is correct. The overwhelming response shows it. I guess no one has it working without errors. I am turning Inline off.
    PFsense is not a completely effective firewall solution without inline working. Attacks have full access until the snort table gets around to denying the offending IP.

    While technically that's true, it practice Snort or even Suricata's legacy mode blocking is sufficient for most threats.  If you have the "kill states" option enabled (and it's enabled by default), then as soon as Suricata or Snort makes a decision on the packet the traffic is blocked.

    Inline mode uses the new Netmap technology as has been mentioned many times.  That technology is still having growing pains because it is so closely intertwined with the NIC driver.

    Bill



  • Which comes around to my initial post question. What NIC's have users had success with? No one is posting because no one really uses inline is my only conclusion because it is too 'buggy'.

    I will post here that netmap has issues with Intel i340, i350, i211, i217 ,i219, Pro1000 NIC's which just about covers all Intel NIC's. Never tested realtek.

    Now, a point I must make here is that these NIC's were tested on a high traffic interface. When I use on a low traffic interface, I do not see any netmap issues.



  • @whizzy:

    Now, a point I must make here is that these NIC's were tested on a high traffic interface. When I use on a low traffic interface, I do not see any netmap issues.

    This would be a good point to highlight in a Redmine bug report posting for pfSense.  The sensitivity to traffic loading might be a valuable clue for a FreeBSD or pfSense kernel developer.  Please consider posting a bug report on the pfSense Redmine site here:  https://redmine.pfsense.org/projects/pfsense.

    I don't currently use Suricata and thus not Inline IPS Mode.  My home connection is also probably much too slow and has much too little traffic to make the issues with Netmap surface.

    Bill



  • I posted to redmine. I will see what kind of answers I get.