Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Recurring kernel panics (page fault in bpf_mtap) on pfSense Plus 26.03 with Suricata + VLAN interfaces

    Scheduled Pinned Locked Moved Traffic Monitoring
    2 Posts 1 Posters 153 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mouseskowitz
      last edited by

      Disclaimer: AI wrote the bulk of this as it theoretically understands the crash dumps better than I do. Hopefully it's accurate information that can help us get this fixed.

      Hey all,

      I've been experiencing recurring kernel panics on my pfSense Plus 26.03 install and wanted to share my findings in case others are hitting the same thing. I've filed a bug report on Redmine with full technical details, but posting here to see if anyone else can reproduce this.

      Setup:

      • pfSense Plus 26.03 (RELENG_26_03, built March 20, 2026)
      • ASRock Rack board, Xeon D-1521
      • Onboard Intel I210 (igb), PCIe Intel 82599ES 10GbE SFP+ (ixgbe)
      • Suricata running on the physical ix1 interface and two VLAN sub-interfaces (ix1.40 and ix1.70)

      What's happening:

      The firewall is crashing roughly every 1–4 days with a kernel panic. I've collected 8+ crash dumps over about 3 weeks, all with the same panic string: page fault, all hitting the exact same kernel instruction — bpf_mtap+0x86. The crashes happen via two different code paths:

      • On packet receive: iflib_rxeof → ether_input → bpf_mtap
      • On packet forward: ip_tryforward → vlan_transmit → bpf_mtap

      Both paths fault at the same address with a null pointer dereference at offset 0x30, which strongly suggests a use-after-free or uninitialized BPF descriptor in the kernel's BPF tap code when Suricata has active listeners on ix1 VLAN interfaces.

      What I've ruled out:

      • Not a NIC driver issue (igb or ixgbe) — the fault is in the kernel BPF layer, not the drivers
      • Consistent across 3+ weeks with no pfSense updates applied, so it's not a regression from a recent patch

      Suspected cause:

      Suricata attaches BPF taps to the ix1 parent interface and both VLAN sub-interfaces. Something in pfSense Plus 26.03 on FreeBSD 16.0-CURRENT appears to leave a stale or freed BPF descriptor that gets dereferenced during normal packet processing.

      Workaround:

      Disabling Suricata on the affected interfaces appears to be the only current mitigation, which I really don't want to do as open ports that get poked at on a regular basis. No System Patches are available yet to address this.

      If you're running Suricata on VLAN sub-interfaces of an ixgbe (82599ES/X520/X550) card on 26.03 and seeing unexpected reboots, please chime in — especially if your crash reporter shows a page fault. The more people who can confirm this, the faster it's likely to get addressed.

      Full technical details, crash backtraces, and register dumps are in the Redmine ticket: https://redmine.pfsense.org/issues/16828

      1 Reply Last reply Reply Quote 0
      • M Offline
        mouseskowitz
        last edited by

        It looks like this is being worked on in https://redmine.pfsense.org/issues/16790 and a fix may be in 26.03.1.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.