Suricata V3.0 Inline Mode
-
Bill:
Thanks very much for the assistance! I have the Suricata V3.0 Inline now operational. The example syntax was very helpful. One issue I did note. The drop rules that show in the alert section (tab) are not show in red. I checked the log and they were indeed blocked.
Best Regards,
Howard
-
Bill:
Thanks very much for the assistance! I have the Suricata V3.0 Inline now operational. The example syntax was very helpful. One issue I did note. The drop rules that show in the alert section (tab) are not show in red. I checked the log and they were indeed blocked.
Best Regards,
Howard
Do you have more than one interface configured? If so, remember to select the correct interface when viewing the alerts. The dropped traffic should be showing in red and the text of the alert in the alerts.log file will start with "drop". Were you looking in the alerts.log when you saw the dropped traffic?
Bill
-
Bill:
Suricata V3.0 is now working fine. I now see the blocked alerts showing in red. I am going to just let it run with this snap-shot of Pfsense 2.3 and see how it working over a period of time.
Best Regards,
Howard
-
Bill:
Suricata V3.0 is now working fine. I now see the blocked alerts showing in red. I am going to just let it run with this snap-shot of Pfsense 2.3 and see how it working over a period of time.
Best Regards,
Howard
Great! Glad everything is working. There are still a few things I plan on improving.
Bill
-
Bill:
An update with respect to a strange issue. I am using the traffic shaper with CODEL to minimize buffer bloat. It worked fine with Pfsense2.2.6. However Pfsense 2.3 and Suricata Inline seem to be a problem. First, If I removed the traffic shaper when running Suricata V3.0 Inline the box locks up and will not pass traffic. I looked at the error messages and they were related to Netmap. I rebooted the box and all was well. I then reconfigured the traffic shaper on the wan and lan with CODEL. A test for buffer bloat showed poor results, i.e. buffer bloat. Then I rebooted the box and it is now working ok with the traffic shaper. I seem that Netmap and the traffic shaper interact. I have it working now be it was strange. Have you seen this before?
Regards,
Howard
-
Bill:
Further testing with the traffic shaper. It works with Suricata in the Legacy Mode but does not in the Inline Mode. Must be some interaction with Netmap ???
Regards,
Howard
-
Theres one test I would do also, is to run suricata inline with absolutely no rules, disable all categorie/rules.
F.
-
I removed all the rules from Suricata V3.0 running in the Inline Mode and the traffic shaper still does not function correctly. There must be some interaction between Suricata Inline Mode and the Pfsense 2.3 traffic shaper with CODEL used for bufferbloat reduction.
-
Further information:
When I change back from Inline Mode to Legacy Mode the box must be reboot for the traffic shaper to work correctly.
-
I see other issues posted over in the 2.3-BETA sub-forum with the Traffic Shaper. It is likely the shaper and Netmap do not currently play well together. I will have to refer that one to the pfSense developers. Would you mind opening a Redmine bug report for this issue? Just explain what happens with Inline mode and the traffic shaper.
Bill
-
Bill:
I just wrote a short note for redmine bugtracker report describing the problem.
Best Regards,
Howard
-
I see other issues posted over in the 2.3-BETA sub-forum with the Traffic Shaper. It is likely the shaper and Netmap do not currently play well together. I will have to refer that one to the pfSense developers. Would you mind opening a Redmine bug report for this issue? Just explain what happens with Inline mode and the traffic shaper.
Bill
This is now the show stopper for me to use Suricata v3 inline mode, one of the main reason to upgrade to pfSense 2.3. Any timeline to fix it? I'm waiting it to be fixed to upgrade to pfSense 2.3
-
This is now the show stopper for me to use Suricata v3 inline mode, one of the main reason to upgrade to pfSense 2.3. Any timeline to fix it? I'm waiting it to be fixed to upgrade to pfSense 2.3
I see the bug report has been assigned to one of the pfSense kernel developers. Here is the redmine link: https://redmine.pfsense.org/issues/6023
Bill
-
I am trying inline now. I think Netmap is supported as I see the interfaces using the emX driver.
However on following the above instructions I have full loss of internet connectivity.
-
Ok the likely problem is Netmap.
-
Ok the likely problem is Netmap.
Yes, Netmap and some NIC drivers are misbehaving badly in the kernel at the moment. There are threads in the INSTALL and UPGRADES forum and elsewhere about it. It seems to depend on your exact NIC as to whether or not you have issues. Some folks immediately lose connectivity, for others is takes hours or a few days, and some seem to have no problems.
I believe the pfSense developer team is looking into the Netmap issues. It is probably not a pfSense thing and is instead either an upstream bug in Netmap or FreeBSD.
Bill
-
I look forward to the issue fixed and enableing inline mode in my production environment.
Thanks pfSense developer team and Bill.
-
Was this issue fixed in 2.3.1?
-
or 2.3.2?
-
It works perfectly ;D !!!!!!!
Thanx ! Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !