Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata IDS/IPS (Inline Mode / Netmap / Error Messages)

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      K
      last edited by

      Hi all, i'm testing my NIC compatibility with inline mode / netmap, after few testing I ran into problems and receiving all sorts of error messages under different controls of native and emulated adapter mode via "dev.netmap.admode" system tunable.

      I have a PCI-e network adapter installed, it's a "Dell 0HM9JY Intel® 82576 Gigabit ET quad port NIC (Intel PRO/1000 ET)" and I'm having issues with Suricata IDS/IPS while using "inline mode" that utilises netmap, pfsense is running as a guest VM and have another guest VM running Windows OS as a client (to trigger alerts), my host VM is running on a Windows OS (i'm just testing inline mode before deploying it).

      On my guest VM pfsense I have two network adapters - WAN is bridged and LAN is on a 'LAN Segment', the other guest VM on Windows OS has a single adapter connected to the 'LAN Segment'.

      On pfsense I have turned off 'hardware-based checksums', 'TCP segmentation offloading' and 'large receive off-loading', I've created and selected 'dropsid.conf' on drop sid list.

      I receive different error messages when i change "dev.netmap.admode" system tunable and reboot pfsense as shown in the images below:

      dev.netmap.admode=0


      dev.netmap.admode=1


      dev.netmap.admode=2


      I read that when you increase "dev.netmap.buf_size" from 2048 to 4096 pfsense stops receiving those error messages, although I'm not sure if that would break something else while fixing another thing.

      I don't know how to get inline-mode working properly with the NIC I have on a VM (vmware).

      After looking through the forums and a bit of googling, it seems like others are also receiving similar issues using Suricata on inline mode, they use the following network adapters:
      Intel i340, i350/v2, i210, i211, i217 ,i219, PRO/1000, 82575/82576/82579/82580 and Realtek RTL8168B.

      I also read that PRO/10GbE adapters work with inline netmap but have massive throughput decrease.

      edit #1: I have modified the guest VM (pfsense) and increase the RAM from 2048 to 6144, I've added the following tunables:
      dev.netmap.admode=0
      dev.netmap.buf_size=4096

      now i'm getting the following messages on pfsense:

      edit #2: I found a pattern on the client causing the error messages on pfsense. I'm still using inline mode, I was able to replicate the errors by doing a few speed test via speedtest.net.
      Tunables are still set to:
      dev.netmap.admode=0
      dev.netmap.buf_size=4096

      The error messages I receive on pfsense:


      WAN Alerts


      LAN Alerts

      1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense
        last edited by

        The only issue I have had is the netmap_grab_packets and the only adjustment I have done is the potential solution that you have read which has been running smoothly except for the one encounter mentioned. Of course, mine wasn't a VM. I will update my thread later this week. I would not mess with dev.netmap.admode nor try to "tune" the NIC…I have found that the tuning made things only worst. Be also sure to disable the items recommended in System > Advanced > Networking.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.