Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata or Snort Interferes with Traffic Graph!

    Scheduled Pinned Locked Moved
    2.5 Development Snapshots (Retired)
    3
    20
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks @kiokoman
      last edited by

      @kiokoman said in Suricata or Snort Interferes with Traffic Graph!:

      It's not the same. The module for realtek is different, it's not compiled inside the kernel so you can compile it as a module and load it inside pfsense. The problem with intel is that it is compiled inside the kernel and you can't compile a new version as a module without rebuilding the entire kernel.

      Ah! I stand corrected. Did not realize that. Thought you might could choose either route (module or native).

      1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @kiokoman
        last edited by

        @kiokoman said in Suricata or Snort Interferes with Traffic Graph!:

        The problem with intel is that it is compiled inside the kernel and you can't compile a new version as a module without rebuilding the entire kernel.

        That's what I am learning ... so, it would be interesting to learn how to compile ... just have to many things on the fire cooking. Hope it gets into FreeBSD 12.1 before releasing 12.2beta. I have a feeling it's maybe more how Netmap and Snort work causing the traffic graphs issue.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        bmeeksB 1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @NollipfSense
          last edited by bmeeks

          @NollipfSense said in Suricata or Snort Interferes with Traffic Graph!:
          I have a feeling it's maybe more how Netmap and Snort work causing the traffic graphs issue.

          It is the netmap device that is the root cause. If the traffic graphs are important to you, switch over to Legacy Blocking Mode and they will return to operation. Legacy Mode does not use the netmap device, and thus those internal FreeBSD networking plumbing changes required by netmap do not happen and therefore traffic graphs can work.

          NollipfSenseN 1 Reply Last reply Reply Quote 0
          • NollipfSenseN
            NollipfSense @bmeeks
            last edited by NollipfSense

            @bmeeks Okay Bill, I heard from the Netmap developer who stated that "with FreeBSD12, Intel NICs switched to iflib as a driver, and this had an impact on netmap, because now netmap support for these NICs is directly provided by iflib."

            My hope is that pfSense developers will make sure that all NIC drivers will be updated for 2.5 release. As I had stated I can do without the fancy traffic graphs during the beta testing ... for the release, it must be fully functioning.

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @NollipfSense
              last edited by

              @NollipfSense said in Suricata or Snort Interferes with Traffic Graph!:

              @bmeeks Okay Bill, I heard from the Netmap developer who stated that "with FreeBSD12, Intel NICs switched to iflib as a driver, and this had an impact on netmap, because now netmap support for these NICs is directly provided by iflib."

              My hope is that pfSense developers will make sure that all NIC drivers will be updated for 2.5 release. As I had stated I can do without the fancy traffic graphs during the beta testing ... for the release, it must be fully functioning.

              I wouldn't depend too much on the pfSense team tackling netmap compatibility in a NIC driver. They use what comes in with FreeBSD pretty much as-is. If you want to lobby for good netmap support in a NIC driver, better to go upstream and open a ticket with the FreeBSD team directly. I'm not familiar with that particular driver and have not researched it, but in some cases the manufacturers write and support drivers for various operating systems and not the developer team of the particular OS.

              NollipfSenseN 1 Reply Last reply Reply Quote 0
              • NollipfSenseN
                NollipfSense @bmeeks
                last edited by

                @bmeeks said in Suricata or Snort Interferes with Traffic Graph!:

                I wouldn't depend too much on the pfSense team tackling netmap compatibility in a NIC driver.

                No, no ... that's not what I am saying and not their responsible. What I am saying is that as a firewall developer, pfSense should make sure NIC drivers are updated as that is the essence of offering a good firewall platform.

                pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                1 Reply Last reply Reply Quote 0
                • NollipfSenseN
                  NollipfSense
                  last edited by

                  HOORAY ... traffic graphs are working; so. I wonder whether FreeBSD 12.1 stable has the latest Intel i350 NIC ... will check later!

                  pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                  pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                  1 Reply Last reply Reply Quote 0
                  • NollipfSenseN
                    NollipfSense
                    last edited by

                    Okay, I see why traffic graphs are working ... Netmap broke!

                    pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                    pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                    bmeeksB 1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks @NollipfSense
                      last edited by

                      @NollipfSense said in Suricata or Snort Interferes with Traffic Graph!:

                      Okay, I see why traffic graphs are working ... Netmap broke!

                      What kind of Netmap errors do you see? Is there anything in any error messages about using the wrong Netmap API?

                      Just wondering because a Snort user on pfSense-2.5 testing the new Inline IPS Mode reported netmap is broken there and gives a "wrong API" error.

                      This will be from the recent move to FreeBSD-12.1 for pfSense-2.5 snapshots. Will work on getting it sorted out, but may take some time.

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        A Redmine Bug Report has been created to track this issue. Thanks for reporting it.

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post