How to disable hardware-level VLAN filtering in Snort Inline Mode - Netgate 7100U

carpediem808 · Oct 24, 2023, 6:39 AM

Hi,

Need help setting up Snort Inline mode on LAN and VLANs. Traffic on all VLANs stops immediately upon activing the block.

Hardware - Netgate 7100U
pfSense+ 23.05.01

LAN set up on (ix0), VLANs (ix0.10, ix0.20, ix0.30, ix0.40)

While setting up Snort in Inline Blocking mode, I get the message "NOTICE: When using Inline IPS Mode with VLAN interfaces, hardware-level VLAN filtering should be disabled with most network cards." and asks me to refer to Intel ix4 cards in the below link.
https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#intel-ix-4-cards

Also, hardware offloading is disabled.

Current output of ifcong ix0 command is

List of STEPS I have taken so far after reading from the 2 pages suggested by Netgate Docs (with whatever little understanding I have)

As suggested on this page, I have disabled Flow Control on all ix interfaces.

https://docs.netgate.com/pfsense/en/latest/config/advanced-tunables.html#config-tunables-gui

Added a DEV system tunable entry (dev.ix.0.fc with value 0):

To view the current values of Autonegotiate Non-default Speeds in hexadecimal instead of decimal of the runtime tunable OID for interface ix0 it is currently set to 2.5G

However, I do not know how to edit and change that value to accept Auto-negotiation for all the speeds mentioned below.

Lastly, I have also disabled thee FW rules on all VLANs.

Could anyone please help me figure this out and run Inline on all LAN/VLAN interfaces. Even if I turn on the Inline blocking on LAN interface (with no other interface configured on Snort, it stops traffic on all vlans)

Any help or guidance would be greatly appreciated.

Thanks

bmeeks · Oct 24, 2023, 1:13 PM

Inline IPS Mode and VLANs is not supported. Your only option is to run a single Snort instance on the parent physical interface.

Inline IPS Mode uses the netmap device within FreeBSD, and that device currently does not support operation with VLANs in native mode.

You can try using a single Snort instance on the VLAN parent interface or else switch to Legacy Blocking Mode if you need individual Snort instances on each VLAN interface.

carpediem808 · Oct 25, 2023, 10:35 AM

@bmeeks thanks for quick response.

Can I still use the legacy blocking mode on all VLANs or just LAN (which will cover the entire VLAN interfaces?

bmeeks · Oct 25, 2023, 11:18 AM

@carpediem808 said in How to disable hardware-level VLAN filtering in Snort Inline Mode - Netgate 7100U:

@bmeeks thanks for quick response.

Can I still use the legacy blocking mode on all VLANs or just LAN (which will cover the entire VLAN interfaces?

Legacy Mode will work on VLANs because it uses the pf firewall engine for blocking instead of the kernel netmap device. Legacy Mode uses libpcap to capture copies of packets as they traverse the interface. But note that by default Snort places the interface it monitors into promiscuous mode, so Snort running on a VLAN will see see all traffic on the physical parent (that means the traffic of any other VLANs defined on the same parent).

carpediem808 · Oct 25, 2023, 11:31 AM

@bmeeks thank you again. Appreciate the response and detailed explanation