Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata inline mode - trunk interface

    IDS/IPS
    3
    9
    848
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rlrobs
      last edited by

      Suricata inline mode don't work with trunk interface.
      After enable trunk interface in suricata, the pfsense interfaces stop responding to any requisition.

      Note:

      • legacy mode run without problem.

      Prints:

      0_1544440428879_interfaces.png

      0_1544440434671_interface-suricata.png

      bmeeksB 1 Reply Last reply Reply Quote 0
      • B
        boobletins
        last edited by

        Please provide the output from the following commands (minus any sensitive data):

        ifconfig bce1

        sysctl -a | grep netmap

        sysctl -a | grep bce

        sysctl -a | grep msi

        cat /var/log/system.log | grep netmap
cat /var/log/system.log | grep sig

        Processor type/model, total RAM, avg free RAM.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @rlrobs
          last edited by

          @rlrobs said in Suricata inline mode - trunk interface:

          Suricata inline mode don't work with trunk interface.
          After enable trunk interface in suricata, the pfsense interfaces stop responding to any requisition.

          You may be running into a known issue where some NIC drivers strip VLAN tags when netmap mode is enabled within the driver. The Inline IPS Mode of Suricata uses netmap. Not all NIC drivers currently do this, but some apparently do.

          The user @boobletins has become our resident expert on netmap and Suricata. Provide him the information he requested and see if he can help find the root cause of your issue.

          1 Reply Last reply Reply Quote 0
          • R
            rlrobs
            last edited by

            Sorry for the delay, but I'm recreating my lab to retake the tests.

            1 Reply Last reply Reply Quote 0
            • R
              rlrobs
              last edited by rlrobs

              I'm sorry @boobletins , but I can't post direct here.

              "Error: Post content was flagged as spam by Akismet.com"

              Follow pastbin for command results:

              https://pastebin.com/ewcU0t14

              1 Reply Last reply Reply Quote 0
              • B
                boobletins
                last edited by

                I'm confused.

                Are you enabling netmap on a bce, bge, or em interface?

                Dec 12 15:08:27 pfSense kernel: em0: netmap queues/slots: TX 1/1024, RX 1/1024

                You gave an ifconfig command for a QLogic (bce) card, but show the output from a bge Broadcom card.

                You have em in your system.log output. The em seems to be the only one trying to run netmap? Is that correct?

                Are these virtual nics? If so, can you use e1000 virtual nics?

                1 Reply Last reply Reply Quote 0
                • R
                  rlrobs
                  last edited by

                  The lab was changed to another fisical server. The new server run bge interface. Sorry.

                  I have configured inline suricata on multiple interfaces, but it is only active on bge1. In em0 it is disabled.

                  B 1 Reply Last reply Reply Quote 0
                  • B
                    boobletins @rlrobs
                    last edited by boobletins

                    @rlrobs

                    netmap lists supported devices here.

                    You can see that on FreeBSD the bge driver is not supported.

                    The em driver should work with netmap natively assuming there's no incompatibility in the VM.

                    If you need inline mode with bge then you will need to run netmap in emulated mode as described in the link above:

                    Emulation is also available for devices with native netmap support, whichcan be used for testing or performance comparison. The sysctl variable dev.netmap.admode globally controls how netmap mode is implemented.

                    But you should know that if you put netmap in emulated mode to make it work on bge, then it will also be running in emulated mode for the em card.

                    Also: what version of FreeBSD/pfSense are you running?

                    1 Reply Last reply Reply Quote 0
                    • R
                      rlrobs
                      last edited by rlrobs

                      @boobletins said in Suricata inline mode - trunk interface:

                      ou can see that on FreeBSD the bge driver is not supported.
                      The em driver should work with netmap natively assuming there's no incompatibility in the VM.
                      If you need inline mode with bge then you will need to run netmap in emulated mode as described in the link above:

                      Emulation is also available for devices with native netmap support, whichcan be used for testing or performance comparison. The sysctl variable dev.netmap.admode globally controls how netmap mode is implemented.

                      But you should know that if you put netmap in emulated mode to make it work on bge, then it will also be running in emulated mode for the em card.
                      Also: what version of FreeBSD/pfSense are you running?

                      ☹

                      Pfsense 2.4.4_p1

                      I will try intel nic.

                      thank's

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post