Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata inline mode IPS and VLANS

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    22
    2.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NRgia @bmeeks
      last edited by NRgia

      @bmeeks said in Suricata inline mode IPS and VLANS:

      @NRgia said in Suricata inline mode IPS and VLANS:

      @bmeeks Thanks, I read that in the past, and I applied that info.

      I only have the following:
      options.png

      I don't know which if "rx_vlan" is off or not, from what I see

      I would lean towards VLAN_HWFILTER being a potential problem. But turning that off might break all of your VLAN routing.

      You may have to think about abandoning Inline Mode if you have to use the VLANs. There are just too many issues with the netmap device itself and VLANs. These issues are totally outside the realm of Suricata. All Suricata does is call an API function to open a netmap device tunnel on an interface.

      Oh, and that link I gave you to the Sticky Post was not about VLANs. It was just to illustrate use of the ifconfig command. That user was working on some different issues and tuning around those problems.

      Hello Bill,

      I know it's an old post, but I wanted to tell you that you were partially right about my issue, which seems that hunts many people.

      I found this bug:
      https://github.com/luigirizzo/netmap/issues/703

      I did not understand if it's fixed or not, but I looked to this PR afterwards:

      https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236584

      After I disabled the following:

      ifconfig ix2 -vlanhwtso -vlanhwfilter -vlanhwtag -vlanhwcsum

      I can start Suricata in inline mode, on parent interface that have other VLANs.

      I though it was ok to share, if this is not known already.
      Tested on pfsense 2.5.0, but I don't think it matters.

      bmeeksB 1 Reply Last reply Reply Quote 2
      • bmeeksB
        bmeeks @NRgia
        last edited by bmeeks

        @NRgia said in Suricata inline mode IPS and VLANS:

        https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236584

        After I disabled the following:

        ifconfig ix2 -vlanhwtso -vlanhwfilter -vlanhwtag -vlanhwcsum

        I can start Suricata in inline mode, on parent interface that have other VLANs.

        I though it was ok to share, if this is not known already.
        Tested on pfsense 2.5.0, but I don't think it matters.

        I think this is a driver-specific issue. The em series driver appears to be the one not honoring the disable option. Other drivers do (like your ix series).

        There are other features of FreeBSD networking that do not play well with the netmap device either. One of them is limiters (packet shaping). Several folks have reported that when that is enabled in pfSense (FreeBSD, actually), network traffic stops on the interface. Also have reports of the traffic graph function not working when netmap is running on an interface.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.