Snort Inline Mode caused WAN to drop every few minutes


  • After following the Netgate Guide(https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions/43) to configure Inline Mode for Snort it caused major issues with my WAN connection and Internal VLANs. I switched back to Legacy Mode for the internal LAN and even then the WAN would drop the connection every few minutes. I am just wondering if I missed something. I could not get it to work until I switched all my interfaces back to Legacy Mode.
    I am running PFSense 2.4.5 and SNORT 4.1.2_3. The NICs on the appliance are from the igb family.

    Any help is appreciated! Thank you!


  • I am using Snort with Inline IPS Mode enabled on a Netgate SG-5100 appliance without issue. The NICs on my WAN and LAN are both igb chipsets.

    Inline IPS Mode uses the FreeBSD kernel netmap device. There are some quirks with that device. One is that "attaching" and "detaching" from it via a software application triggers the netmap device and kernel to perform a "down then up" physical cycle of the interface. So the same basic thing as doing an "ifconfig down" and "ifconfig up" sequence.

    The following things might make Snort restart on an interface and thus trigger the down/up sequence:

    1. Scheduled rules updates when new rules are actually available.
    2. Receipt of a "restart all packages" command from pfSense itself. The firewall may issue this command in response to several things.

    Improper settings for certain hardware tunables can cause problems with netmap operation.

    FreeBSD-11.3/STABLE (which pfSense-2.4.5 is based on) uses an older API version for the netmap device interface. There are perhaps new netmap bug fixes from upstream that have not been backported to FreeBSD-11.3/STABLE.

    If Inline IPS Mode is unstable for you on your hardware, switch to Legacy Blocking Mode. That does not use the netmap device. A reboot of the box after switching would not be a bad idea either if you had substantial issues with Inline IPS Mode.

    To see if something else is really at fault, disable the IDS/IPS completely for a period to see if the interfaces become stable then. Perhaps something else is causing the interface cycling??


  • @bmeeks
    Confession Time! I managed to get NTOPNG 4.2 installed and was working. When I enabled the option to create VLAN Timeseries it broke my config. I had to unistall NTOPNG and then switch back to legacy mode on all interfaces. I just enabled Inline Mode on the WAN again. I will see how it goes.
    Do you think NTOPNG might have broken the Inline Mode config for SNORT?


  • @promo76 said in Snort Inline Mode caused WAN to drop every few minutes:

    @bmeeks
    Confession Time! I managed to get NTOPNG 4.2 installed and was working. When I enabled the option to create VALN Timeseries it broke my config. I had to unistall NTOPNG and then switch back to legacy mode on all interfaces. I just enabled Inline Mode on the WAN again. I will see how it goes.
    Do you think NTOPNG might have broken the Inline Mode config for SNORT?

    Yes, they do not like each other. Inline IPS Mode, because of the kernel netmap device, is incompatible with many things. Limiters, sometimes Traffic Graph will malfunction, and ntopNG. There are probably others. You need a plain-vanilla firewall in terms of extra packages to use Inline IPS Mode effectively.


  • @bmeeks
    Thank you!