Suricata inline mode - trunk interface

rlrobs · Dec 11, 2018, 6:04 PM

Suricata inline mode don't work with trunk interface.
After enable trunk interface in suricata, the pfsense interfaces stop responding to any requisition.

Note:

legacy mode run without problem.

Prints:

boobletins · Dec 11, 2018, 5:49 PM

Please provide the output from the following commands (minus any sensitive data):

ifconfig bce1

sysctl -a | grep netmap

sysctl -a | grep bce

sysctl -a | grep msi

cat /var/log/system.log | grep netmap
cat /var/log/system.log | grep sig

Processor type/model, total RAM, avg free RAM.

bmeeks · Dec 11, 2018, 6:04 PM

@rlrobs said in Suricata inline mode - trunk interface:

Suricata inline mode don't work with trunk interface.
After enable trunk interface in suricata, the pfsense interfaces stop responding to any requisition.

You may be running into a known issue where some NIC drivers strip VLAN tags when netmap mode is enabled within the driver. The Inline IPS Mode of Suricata uses netmap. Not all NIC drivers currently do this, but some apparently do.

The user @boobletins has become our resident expert on netmap and Suricata. Provide him the information he requested and see if he can help find the root cause of your issue.

rlrobs · Dec 12, 2018, 5:24 PM

Sorry for the delay, but I'm recreating my lab to retake the tests.

rlrobs · Dec 12, 2018, 8:57 PM

I'm sorry @boobletins , but I can't post direct here.

"Error: Post content was flagged as spam by Akismet.com"

Follow pastbin for command results:

https://pastebin.com/ewcU0t14

boobletins · Dec 12, 2018, 9:11 PM

I'm confused.

Are you enabling netmap on a bce, bge, or em interface?

Dec 12 15:08:27 pfSense kernel: em0: netmap queues/slots: TX 1/1024, RX 1/1024

You gave an ifconfig command for a QLogic (bce) card, but show the output from a bge Broadcom card.

You have em in your system.log output. The em seems to be the only one trying to run netmap? Is that correct?

Are these virtual nics? If so, can you use e1000 virtual nics?

rlrobs · Dec 12, 2018, 9:20 PM

The lab was changed to another fisical server. The new server run bge interface. Sorry.

I have configured inline suricata on multiple interfaces, but it is only active on bge1. In em0 it is disabled.

boobletins · Dec 12, 2018, 9:25 PM

@rlrobs

netmap lists supported devices here.

You can see that on FreeBSD the bge driver is not supported.

The em driver should work with netmap natively assuming there's no incompatibility in the VM.

If you need inline mode with bge then you will need to run netmap in emulated mode as described in the link above:

Emulation is also available for devices with native netmap support, whichcan be used for testing or performance comparison. The sysctl variable dev.netmap.admode globally controls how netmap mode is implemented.

But you should know that if you put netmap in emulated mode to make it work on bge, then it will also be running in emulated mode for the em card.

Also: what version of FreeBSD/pfSense are you running?

rlrobs · Dec 12, 2018, 9:45 PM

@boobletins said in Suricata inline mode - trunk interface:

ou can see that on FreeBSD the bge driver is not supported.
The em driver should work with netmap natively assuming there's no incompatibility in the VM.
If you need inline mode with bge then you will need to run netmap in emulated mode as described in the link above:

Emulation is also available for devices with native netmap support, whichcan be used for testing or performance comparison. The sysctl variable dev.netmap.admode globally controls how netmap mode is implemented.

But you should know that if you put netmap in emulated mode to make it work on bge, then it will also be running in emulated mode for the em card.
Also: what version of FreeBSD/pfSense are you running?

Pfsense 2.4.4_p1

I will try intel nic.

thank's