Suricata Inline IPS breaks VLAN interfaces

abtekk

I have 3 VLANs set up (1, 10, 20) all attached to physical interface igb1. Enabling Inline IPS mode seems to kill all firewall & internet access completely on that interface.
Legacy mode doesn't seem to do this.

Is there any way to get this working?

bmeeks

VLANs and Inline IPS Mode basically hate each other ... .

It is due to how the netmap device interacts with virtual interfaces, and a VLAN is a virtual interface on top of a physical interface.

The recommended way to do this is to run the Suricata instance on the physical parent interface. Usually that will work. But if you have tried that and still have problems, then likey your particluar NIC driver and netmap are not playing well together. And if that is the case, then Legacy Mode is what you will have to use.

There has been some work done by the OPNsense team and Klara (I believe) to improve the interoperability of netmap and virtual interfaces. However, I don't think all of their changes have been mainlined into FreeBSD upstream yet. They have released some of their fixes into OPNsense. Once all of their fixes are mainlined into FreeBSD upstream, then they will eventually get pulled into pfSense as part of syncing FreeBSD with upstream.

abtekk

@bmeeks Thank you. Yes, I did actually try attaching Suricata to the parent, but it still caused problems. I'll have a play with legacy mode and see how that works.

Thank you.