Snort in 2.5.0 Jumbo frames are not handelt correctly in mode Inline IPS

iqjet

I found the reason why it Mullvad Wireguard throttles in Inline IPS Mode.
The mtu for the wg interface device changed from 1420 to 8112
It looks like that Inline IPS can't handle jumbo frames
Mode Inline IPS works like a charme when mtu is set to 1500 but will have speedproblems with WG.
Inline IPS without Wireguard and set to a mtu of 1500 does not have speedproblems.
HW

CPU Type 	Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz
4 CPUs:         1 package(s) x 2 core(s) x 2 hardware threads
AES-NI CPU Crypto: Yes (active) 

Any idea what is going wrong?
My settings are in a Thread attached file snort.zip

sudo wg-quick up mullvad-de5
[#] ip link add mullvad-de5 type wireguard
[#] wg setconf mullvad-de5 /dev/fd/63
[#] ip -4 address add 10.64.219.85/32 dev mullvad-de5
[#] ip -6 address add fc00:bbbb:bbbb:bb01::1:db54/128 dev mullvad-de5
[#] ip link set mtu ******8112****** up dev mullvad-de5

With intial mtu settings of my LAN interface, WG dropped to 100MBits. After changing the mtu for to 9000 my speed was back >850MBits. Snort was still in Legacy Mode. When I set the mtu back to 1500 my WG Speed will drop to 100MBits

I switched to Inline IPS and Snort didn't start up.
The reason: large MTU (8192) needed but igb1 does not support NS_MOREFRAG

May 28 12:39:45 pfsense snort[69782]: FATAL ERROR: Can't start DAQ (-1) - start_instance: Netmap registration for port netmap:igb1 failed: Invalid argument (22)!
May 28 12:39:45 pfsense kernel: 385.664273 [2197] netmap_buf_size_validate  error: large MTU (8192) needed but igb1 does not support NS_MOREFRAG
May 28 12:44:07 pfsense snort[58285]: FATAL ERROR: Can't start DAQ (-1) - start_instance: Netmap registration for port netmap:igb1 failed: Invalid argument (22)!
May 28 12:44:07 pfsense kernel: 647.269450 [2197] netmap_buf_size_validate  error: large MTU (8192) needed but igb1 does not support NS_MOREFRAG
May 28 12:45:01 pfsense snort[41101]: FATAL ERROR: Can't start DAQ (-1) - start_instance: Netmap registration for port netmap:igb1 failed: Invalid argument (22)!
May 28 12:45:01 pfsense kernel: 701.296374 [2197] netmap_buf_size_validate  error: large MTU (8192) needed but igb1 does not support NS_MOREFRAG

Similar error was reported for jumbo frames in 2019 in opnsense or in github

bmeeks

The problem is not with Snort (or Suricata), but rather is with the netmap device itself and how it interracts with the various NIC drivers. Notice in the error message you posted that the kernel says "igb1 does not support NS_MOREFRAG". This is a NIC driver message, not a Snort message.

You really should take this error report to the FreeBSD 12.1 developers as there is little the pfSense side can do as the issue is upstream in the base OS.

iqjet

I understand your opinion. Is it a BSD 12.1 or pfsense fault? For Suricata there has been a fix in Opnsense by merging a newer netmap code.

To fix the netmap code is not so important for me, for years I used the Legacy mode

bmeeks

@iqjet said in Snort in 2.5.0 Jumbo frames are not handelt correctly in mode Inline IPS:

I understand your opinion. Is it a BSD 12.1 or pfsense fault? For Suricata there has been a fix in Opnsense by merging a newer netmap code.

To fix the netmap code is not so important for me, for years I used the Legacy mode

What version of FreeBSD netmap code did they merge? Last I heard they were on an older version of FreeBSD than pfSense. pfSense is now on 11.3/STABLE for the 2.4.5 RELEASE branch and 12.1/STABLE for the 2.5 DEVEL branch.

iqjet

Just looked a bit for opnsense versions

Version 19.1 Hardened FreeBSD 11.2
Version 19.7 Hardened Free BSD 11.2
Version 20.7 Beta Free Hardened 12.1
No idea what is meant with hardened, is it modified FreeBSD?

https://www.thomas-krenn.com/de/wiki/OPNsense
Looks like that there no problems with netmap in version 20.7, it least I couldn't find some

bmeeks

The term "hardened" does in fact mean some small customizations are done to the baseline FreeBSD operating system. pfSense does the same. Neither firewall distro uses an unmodified FreeBSD underlying OS, but so far as I know the bulk (if not all) of the customization is within the two native firewall engines within FreeBSD: pf and ipfw.

What is not clearly stated in the link you provided is whether the FreeBSD versions quoted are RELEASE or STABLE. See, there is both a FreeBSD 12.1/RELEASE and a FreeBSD 12.1/STABLE version. Each version is different although both say "12.1". The STABLE branch is more "current" as it contains features and enhancements over the RELEASE branch, but those additional changes also entail some amount of additional risk that is more similar to what you expect with development versions of a product.