Snort on LAN stops all VLAN traffic
-
I have LAN interface with 4 VLANs setup. It's been working fine for a long time now. All rules are good. If I enable snort on parent LAN interface (inline mode), all VLAN-to-VLAN or even LAN-to-VLAN traffic stops. Nothing works. Pretty sure it's not snort blocking anything because block list is empty and it's very obvious and sudden. Traffic just stops. Enabling snort on VLANs seems to work except for the message to disable hardware VLAN filtering.
Is this normal and how it is meant to work?
-
When you use the Inline IPS Mode, the list on the BLOCKS tab is not used. It is not even populated. So don't consult that tab for any interface using Inline IPS Mode. You can see dropped traffic (the equivalent of "blocked" in the Legacy Mode) by looking for alert entries with the red thumbs-down icon and red text on the ALERTS tab. Those are dropped traffic alerts.
If all of your traffic is stopping, then perhaps your NIC driver is not fully netmap compatible. The Inline IPS Mode uses the netmap kernel device. What version of pfSense and Snort are you running? There was a check added to the Inline IPS enable code a few months back to not allow selection of Inline IPS Mode on an interface using a NIC that does not natively support the netmap kernel device.
-
pfSense is 2.5.0, Snort 4.1.3_2.
I have intel card. The problem is specifically with VLANs as LAN-WAN works fine. Enabling Snort on WAN doesn't cause the issue either.
-
VLANs are known to not work with the netmap kernel device, so not surprised you are having issues there.
Netmap is a very finicky beast, and it has grown a bit more so it seems with the release of FreeBSD 12.x and the move to iflib for the network drivers. Inline IPS Mode for both Snort and Suricata has to use the netmap kernel device, so any weirdness with that device is going to show up. And it will usually show up as rather severe network problems. If you want to use Snort on the parent VLAN interface, try using Legacy Mode there and not Inline IPS. Legacy Mode uses libcap instead of the netmap device.
-
Thank you.
Is there a way to emulate in-line behavior - as in - alert only by default and block based on explicit rules or SID? By default it blocks too much and too quickly. But where I can whitelist VOIP hosts, I don't know what to do with Ring. I can't whitelist all aws. Or, if I can, I probably shouldn't.
-
@firstone said in Snort on LAN stops all VLAN traffic:
Thank you.
Is there a way to emulate in-line behavior - as in - alert only by default and block based on explicit rules or SID? By default it blocks too much and too quickly. But where I can whitelist VOIP hosts, I don't know what to do with Ring. I can't whitelist all aws. Or, if I can, I probably shouldn't.
No, Snort does not offer an analog to inline IPS mode. Suricata does, if you wanted to try that. It has an option when using Legacy Mode blocking called "Block on DROPs Only" that can be enabled.
You whitelist hosts by adding them to a custom Pass List. You would create one on the PASS LISTS tab. Be sure to keep the auto-selected defaults there. You can add IP addresses or defined Aliases to the list when creating it. Once you have a list created, go to the INTERFACE SETTINGS tab for the interface and down in the Pass List drop-down selector choose the list you created and save the change. Restart Snort after applying the change so it will see the new list.
-
@firstone said in Snort on LAN stops all VLAN traffic:
whitelist VOIP hosts, I don't know what to do with Ring
I was lurking and happened to see this comment, check out this doc.
-
@bmeeks
I have had the same experience with the use of inline mode on LAN (igb0) and no immediate problems with inline mode on WAN, but have had some moderate problems with using inline mode on the VLANs themselves with what I think has been occasional loss of connectivity.The one thing I can’t figure out how to do is how to remove VLAN_HWFILTER from igb0 as I am repeatedly seeing messages like:
096.746948 [4034] netmap_transmit igb0.# full hwcur 777 hwtail 895 qlen 905
This occurs in spite of disabling flow control, normal MTU = 1500, and not having settings such as vlanhwtso when checking ifconfig.
When I attempt ifconfig igb0 -VLAN_HWFILTER from the command line as suggested when setting up Snort, I get a message indicating “bad value”.
What am I doing wrong with the setup?
Thanks!
-
@pabloabonia said in Snort on LAN stops all VLAN traffic:
@bmeeks
I have had the same experience with the use of inline mode on LAN (igb0) and no immediate problems with inline mode on WAN, but have had some moderate problems with using inline mode on the VLANs themselves with what I think has been occasional loss of connectivity.The one thing I can’t figure out how to do is how to remove VLAN_HWFILTER from igb0 as I am repeatedly seeing messages like:
096.746948 [4034] netmap_transmit igb0.# full hwcur 777 hwtail 895 qlen 905
This occurs in spite of disabling flow control, normal MTU = 1500, and not having settings such as vlanhwtso when checking ifconfig.
When I attempt ifconfig igb0 -VLAN_HWFILTER from the command line as suggested when setting up Snort, I get a message indicating “bad value”.
What am I doing wrong with the setup?
Thanks!
I don't think you are doing anything wrong. My opinion is that FreeBSD-12's change to the
iflib
wrapper for NIC drivers has introduced weirdness with the netmap device. Also note that netmap and VLANs are, generally speaking, fundamentally incompatible with each other. So if you are using VLANs, you are going to want those interfaces in Legacy Mode and not Inline IPS Mode.Your most expedient resolution is to either switch to Legacy Mode Blocking, or move over to Suricata and use it's "Block on DROPs Only" option. But just be aware Suricata does not have the OpenAppID functionality if that is important to you.
-
Just to verify before changing back to LAN with legacy mode. You don't feel that disabling VLAN_HWFILTER as suggested by the message below would help? I am not certain that this setting refers to hardware level VLAN filtering and if may actually refer to frame filtering as noted in the
ifconfig
man page."NOTICE: When using Inline IPS Mode with VLAN interfaces, hardware-level VLAN filtering should be disabled with most network cards. Follow the steps in the Netgate documentation here to disable hardware VLAN filtering."
This message shows up every time I make a change to a Snort interface.
My
ifconfig igb0
yields the following settings:
<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER>Thanks!
-
@pabloabonia said in Snort on LAN stops all VLAN traffic:
Just to verify before changing back to LAN with legacy mode. You don't feel that disabling VLAN_HWFILTER as suggested by the message below would help? I am not certain that this setting refers to hardware level VLAN filtering and if may actually refer to frame filtering as noted in the
ifconfig
man page."NOTICE: When using Inline IPS Mode with VLAN interfaces, hardware-level VLAN filtering should be disabled with most network cards. Follow the steps in the Netgate documentation here to disable hardware VLAN filtering."
This message shows up every time I make a change to a Snort interface.
My
ifconfig igb0
yields the following settings:
<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER>Thanks!
The whole netmap-based inline IPS Mode has been a huge disappointment to me. At first it sounded great, but the implementation of netmap within FreeBSD has been, I will say diplomatically, "difficult to work with" at best. There have been at least three pretty big changes to the netmap device API over the years. Couple that with the move to
iflib
in FreeBSD-12, and you have a recipe for headaches.Netmap does not work well with VLANs because the VLAN stuff is not passed up to it. Netmap also interferes with things like limiters, traffic shapers and even the basic packet throughput stats. So when you put an interface in netmap mode, you can kill a lot of other core functionality. I had no idea that was the case when I first added netmap compatibility to the Suricata package (and later to Snort).
So for users with a totally plain-vanilla pfSense setup with no VLANs, no limiters and no traffic shapers, Inline IPS Mode with Snort or Suricata can work okay. It's not fantastic, but is just okay. If you have VLANs, limiters, or shapers, or if you want things like throughput graphs to work, then Inline IPS Mode and netmap is not going to be a good fit. The more I've investigated reported user issues, the more I've learned about the inherent limitations of the netmap kernel device (at least in FreeBSD).
-
@bmeeks
Thanks for your insights!