Snort Inline IPS mode and HAProxy Issue
-
Hello,
I created a new install of pfsense 2.5.0 from scratch. I have HAProxy installed for my DMZ network. I installed Snort 4.0 and created on interface on the DMZ interface (igb3) using the inline IPS mode introduction and configuration instructions.
After starting the interface I noticed immediately that by haproxy backend went offline. When I shut down the dmz interface the haproxy backend goes back online.
Any ideas why this is happening. Any help would be much appreciated.
Below is the system logs starting and stopping the service.
Mar 1 07:17:35 php-fpm 53221 Starting Snort on DMZ(igb3) per user request... Mar 1 07:17:35 php 70409 [Snort] Updating rules configuration for: DMZ ... Mar 1 07:17:35 php 70409 [Snort] Enabling any flowbit-required rules for: DMZ... Mar 1 07:17:35 php 70409 [Snort] Enabling any flowbit-required rules for: DMZ... Mar 1 07:17:35 php 70409 [Snort] Building new sid-msg.map file for DMZ... Mar 1 07:17:35 php 70409 [Snort] Snort START for DMZ(igb3)... Mar 1 07:17:36 kernel igb3: link state changed to DOWN Mar 1 07:17:36 check_reload_status 376 Linkup starting igb3 Mar 1 07:17:37 kernel 057.369234 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload Mar 1 07:17:37 php-fpm 53221 /rc.linkup: Hotplug event detected for DMZ(opt1) static IP (172.16.0.1 ) Mar 1 07:17:37 check_reload_status 376 Reloading filter Mar 1 07:17:39 check_reload_status 376 Linkup starting igb3 Mar 1 07:17:39 kernel igb3: link state changed to UP Mar 1 07:17:39 kernel 059.470734 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload Mar 1 07:17:40 php-fpm 94309 /rc.linkup: Hotplug event detected for DMZ(opt1) static IP (172.16.0.1 ) Mar 1 07:17:40 check_reload_status 376 rc.newwanip starting igb3 Mar 1 07:17:40 check_reload_status 376 Reloading filter Mar 1 07:17:40 kernel 060.470551 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload Mar 1 07:17:41 php-fpm 94309 /rc.newwanip: rc.newwanip: Info: starting on igb3. Mar 1 07:17:41 php-fpm 94309 /rc.newwanip: rc.newwanip: on (IP address: 172.16.0.1) (interface: DMZ[opt1]) (real interface: igb3). Mar 1 07:17:41 check_reload_status 376 Reloading filter Mar 1 07:17:41 kernel 061.119274 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload Mar 1 07:17:42 kernel 062.055664 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload Mar 1 07:17:43 kernel 063.437239 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload Mar 1 07:17:44 kernel 064.116558 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload Mar 1 07:17:45 kernel 065.441235 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload Mar 1 07:17:46 php-fpm 53221 Stopping Snort on DMZ(igb3) per user request... Mar 1 07:17:46 php-fpm 53221 [Snort] Snort STOP for DMZ(igb3)... Mar 1 07:17:46 kernel 066.441202 [4007] netmap_transmit igb3 drop mbuf that needs checksum offload Mar 1 07:17:46 snort 73713 *** Caught Term-Signal Mar 1 07:17:46 check_reload_status 376 Linkup starting igb3 Mar 1 07:17:46 kernel igb3: link state changed to DOWN Mar 1 07:17:47 php-fpm 338 /rc.linkup: Hotplug event detected for DMZ(opt1) static IP (172.16.0.1 ) Mar 1 07:17:47 check_reload_status 376 Reloading filter Mar 1 07:17:49 check_reload_status 376 Linkup starting igb3 Mar 1 07:17:49 kernel igb3: link state changed to UP Mar 1 07:17:50 php-fpm 339 /rc.linkup: Hotplug event detected for DMZ(opt1) static IP (172.16.0.1 ) Mar 1 07:17:50 check_reload_status 376 rc.newwanip starting igb3 Mar 1 07:17:50 check_reload_status 376 Reloading filter Mar 1 07:17:51 php-fpm 339 /rc.newwanip: rc.newwanip: Info: starting on igb3. Mar 1 07:17:51 php-fpm 339 /rc.newwanip: rc.newwanip: on (IP address: 172.16.0.1) (interface: DMZ[opt1]) (real interface: igb3). Mar 1 07:17:51 check_reload_status 376 Reloading filter
-
Many FreeBSD networking features are incompatible (or at least buggy) when the netmap kernel device in FreeBSD is active. Inline IPS Mode on both Snort and Suricata uses the built-in FreeBSD netmap kernel device.
The first easy thing I would check is to be sure you have all of the network hardware offloading features set to "Disabled" on the SYSTEM > ADVANCED > NETWORKING tab. I see some mbuf checksum errors in your log snippet. Not saying that will for sure fix it, though. But when using the IPS Inline Mode, you need to disable all hardware offloading.
Another weirdness that happens with the netmap device is when it is activated or deactivated it will bring the interface "down" and then "up". So each time Snort starts or stops, you will see messages in the system log about the interface going down and coming back up. This might upset other software pieces monitoring that interface.
I'll say this here primarily for the benefit of others that may come across this thread.
Snort and Suricata, when using Inline IPS Mode operation, work best on a totally plain-vanilla firewall setup. No HA Proxy, no Traffic Shaping/Limiters and no LAGG interfaces. Even some VLAN setups can cause weirdness. Adding any of these things can lead to various "problems" when using Inline IPS Mode with either of the two IDS packages.
-
Hello and Thanks for your reply. All three off the check boxes are disabled per the configuration instructions.