Suricata IDS/IPS (Inline Mode / Netmap / Error Messages)

K

Hi all, i'm testing my NIC compatibility with inline mode / netmap, after few testing I ran into problems and receiving all sorts of error messages under different controls of native and emulated adapter mode via "dev.netmap.admode" system tunable.

I have a PCI-e network adapter installed, it's a "Dell 0HM9JY Intel 82576 Gigabit ET quad port NIC (Intel PRO/1000 ET)" and I'm having issues with Suricata IDS/IPS while using "inline mode" that utilises netmap, pfsense is running as a guest VM and have another guest VM running Windows OS as a client (to trigger alerts), my host VM is running on a Windows OS (i'm just testing inline mode before deploying it).

On my guest VM pfsense I have two network adapters - WAN is bridged and LAN is on a 'LAN Segment', the other guest VM on Windows OS has a single adapter connected to the 'LAN Segment'.

On pfsense I have turned off 'hardware-based checksums', 'TCP segmentation offloading' and 'large receive off-loading', I've created and selected 'dropsid.conf' on drop sid list.

I receive different error messages when i change "dev.netmap.admode" system tunable and reboot pfsense as shown in the images below:

dev.netmap.admode=0

---

dev.netmap.admode=1

---

dev.netmap.admode=2

---

I read that when you increase "dev.netmap.buf_size" from 2048 to 4096 pfsense stops receiving those error messages, although I'm not sure if that would break something else while fixing another thing.

I don't know how to get inline-mode working properly with the NIC I have on a VM (vmware).

After looking through the forums and a bit of googling, it seems like others are also receiving similar issues using Suricata on inline mode, they use the following network adapters:
Intel i340, i350/v2, i210, i211, i217 ,i219, PRO/1000, 82575/82576/82579/82580 and Realtek RTL8168B.

I also read that PRO/10GbE adapters work with inline netmap but have massive throughput decrease.

edit #1: I have modified the guest VM (pfsense) and increase the RAM from 2048 to 6144, I've added the following tunables:
dev.netmap.admode=0
dev.netmap.buf_size=4096

now i'm getting the following messages on pfsense:

edit #2: I found a pattern on the client causing the error messages on pfsense. I'm still using inline mode, I was able to replicate the errors by doing a few speed test via speedtest.net.
Tunables are still set to:
dev.netmap.admode=0
dev.netmap.buf_size=4096

The error messages I receive on pfsense:

---

WAN Alerts

---

LAN Alerts

NollipfSense

The only issue I have had is the netmap_grab_packets and the only adjustment I have done is the potential solution that you have read which has been running smoothly except for the one encounter mentioned. Of course, mine wasn't a VM. I will update my thread later this week. I would not mess with dev.netmap.admode nor try to "tune" the NIC…I have found that the tuning made things only worst. Be also sure to disable the items recommended in System > Advanced > Networking.