Suricata Inline IPS blocks LAN

Cobrax2

@bmeeks
i can't put the old cards back, i don't have pci slots in this pc
any idea when the new drivers will be available?
thanks again!

bmeeks

@cobrax2 said in Suricata Inline IPS blocks LAN:

@bmeeks
i can't put the old cards back, i don't have pci slots in this pc
any idea when the new drivers will be available?
thanks again!

I have no idea about timetables for NIC driver updates. That's up to the manufacturer guys that write them and the FreeBSD maintainers who add them to the distro. They are also outside the control of the Netgate/pfSense team as well.

Based on what you've said thus far, you may have a NIC that is not genuinely Intel. Or at least it is not highly compatible with the generic em driver in FreeBSD. Other folks with the same generic driver are not having issues as severe as yours. Or if they are, nobody is reporting it here.

One thing you need to be sure you've done is to disable all the offloading options under SYSTEM > ADVANCED > NETWORKING.

You have tried two packages, and both are giving you issues with Inline IPS Mode operation. So at this point you will need to either switch to Legacy Mode blocking in the IDS/IPS packages, or cease using the packages if you don't want to use Legacy Mode blocking.

Cobrax2

@bmeeks ok, thank you, will try to find another nic

Cobrax2

@bmeeks said in Suricata Inline IPS blocks LAN:

@cobrax2 said in Suricata Inline IPS blocks LAN:

@bmeeks
i can't put the old cards back, i don't have pci slots in this pc
any idea when the new drivers will be available?
thanks again!

I have no idea about timetables for NIC driver updates. That's up to the manufacturer guys that write them and the FreeBSD maintainers who add them to the distro. They are also outside the control of the Netgate/pfSense team as well.

Based on what you've said thus far, you may have a NIC that is not genuinely Intel. Or at least it is not highly compatible with the generic em driver in FreeBSD. Other folks with the same generic driver are not having issues as severe as yours. Or if they are, nobody is reporting it here.

One thing you need to be sure you've done is to disable all the offloading options under SYSTEM > ADVANCED > NETWORKING.

You have tried two packages, and both are giving you issues with Inline IPS Mode operation. So at this point you will need to either switch to Legacy Mode blocking in the IDS/IPS packages, or cease using the packages if you don't want to use Legacy Mode blocking.

well i activated the onboard lan, it is an Intel I219-V.
looks like it is still an em driver, it behaves exactly as the pcie one that i have, snort still blocks the vlan :( if i disable snort, all works. so the driver is the problem, or snort? not the nic :(
thanks

edit: or some freak setting somewhere in my config? i have already disabled in networking all the hw things. its strange that only i report this...

bmeeks

@cobrax2 said in Suricata Inline IPS blocks LAN:

edit: or some freak setting somewhere in my config? i have already disabled in networking all the hw things. its strange that only i report this...

I strongly suspect it is something specific to just your setup. Could be hardware, or it might be a configuration issue.

If I may ask, is English your primary language, or is it a second language? I'm asking because of the way you are using the term "block". That is a bit confusing to me because in the context of the two IPS packages, "block" has a very specific meaning related to blocking certain IP addresses only. If that is the case, where only certain clients are having issues while other clients and traffic are not, then a configuration problem is likely the cause. If, on the other hand, ALL traffic through the IPS interface just stops and absolutely nothing gets through, then that would indicate something hardware related in terms of the driver software. You might want to do some Google research on the netmap device in FreeBSD to better understand what I am talking about when discussing how certain hardware NIC drivers interact with the kernel's netmap device (when the netmap device is active).

There are a lot of Snort and Suricata installations out there using the em driver without issue in Inline IPS Mode. In fact, that is the driver I use frequently in my VMware virtual machines when testing updates to both Snort and Suricata.

Cobrax2

@bmeeks
no english is not my primary language
sorry about my bad explanations. the issues are different from suricata to snort. suricata locks/ drops all traffic pn physical interface at some point, no matter vlan or lan.
snort does something to the packets coming tagged, the dhcp server on pfsense "sees" the udp req coming on physical lan and returns a lan address to it, but the device probably does not receive the reply as it goes back untagged? the normal physical lan, untagged portion works fine. also this does not block/ lock/drop further packets on neither lan or vlan. but packet capture on vlan shows nothing...
thanks

bmeeks

@cobrax2 said in Suricata Inline IPS blocks LAN:

@bmeeks
no english is not my primary language
sorry about my bad explanations. the issues are different from suricata to snort. suricata locks/ drops all traffic pn physical interface at some point, no matter vlan or lan.
snort does something to the packets coming tagged, the dhcp server on pfsense "sees" the udp req coming on physical lan and returns a lan address to it, but the device probably does not receive the reply as it goes back untagged? the normal physical lan, untagged portion works fine. also this does not block/ lock/drop further packets on neither lan or vlan. but packet capture on vlan shows nothing...
thanks

The Suricata issue is one where I really have no solution to offer. That certainly seems like the old flow manager threading bug in Suricata 6.0.x, but there specifically is a patch for that in the pfSense version of Suricata. And if that bug was in fact not fixed, everyone would be reporting an issue regardless of NIC driver type. That bug affected all drivers the same.

For Snort, perhaps hardware VLAN tagging is still enabled on the NIC driver. Some have that option, and it must be disabled using sysctl variables. But some versions of the Intel NIC drivers (I don't recall which at the moment), do not honor the sysctl commands to actually disable hardware VLAN tagging. As I said before, the netmap devices and VLANs don't play well together, and most especially with hardware VLAN tagging enabled at the NIC driver level.

Cobrax2

@bmeeks so there is nothing i can check to see if it is disabled?

bmeeks

@cobrax2 said in Suricata Inline IPS blocks LAN:

@bmeeks so there is nothing i can check to see if it is disabled?

Here is a discussion of the issue as it relates to the netmap device. This link is to the Github repo of the netmap creator: https://github.com/luigirizzo/netmap/issues/703.

And here is a related FreeBSD bug report on the issue I mentioned: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236584. You may find some info in there to help you.

My advice is to forget trying to use either of the IDS/IPS packages with Inline IPS Mode when using VLANs on the interface where you are trying to run Snort or Suricata. Those packages will work best on a plain vanilla interface: meaning no limiters enabled, no traffic shaping configured, and no VLANs in use on the interface. To do otherwise is basically trying to hammer a square peg into a round hole.

Cobrax2

@bmeeks lol ok, thank you very much!