Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
[solved][how-to-fix] OPNSense with Suricata IPS service failure crash
« previous
next »
Print
Pages: [
1
]
Author
Topic: [solved][how-to-fix] OPNSense with Suricata IPS service failure crash (Read 806 times)
JL
Newbie
Posts: 39
Karma: 0
[solved][how-to-fix] OPNSense with Suricata IPS service failure crash
«
on:
January 15, 2024, 11:30:41 pm »
Please like or share a comment if this post is helpful or you have more questions.
This how-to-fix post to inform people on how Suricata crashes with OPNSense on Proxmox (any version) can be remediated. The advisories here may not be suitable for production environments, I trust you know this already.
Context
VM-hardware has Q35 chipset and uses virtio network interfaces.
The OPNSense host has qemu-guest-agent installed.
Indicator
(console output)
Jan 28 12:39:45 opnsense kernel: 385.664273 [2197] netmap_buf_size_validate error: large MTU (8192) needed but igb1 does not support NS_MOREFRAG
Assumption
This indicates MTU inconsistency when MTU is set >1500 on the bridge and this is 'broken' in-between the bridge and the IPS. To my understanding the network interfaces available on Proxmox are well supported by OPNSense.
For non-virtualised systems the issue may be the same. Check the MTU of the network, match the MTU of the network on the physical interfaces. Consider subtracting 22 from the MTU for compatibility.
Recommended is to check if
MTU on the bridge is >1500
configure : within Proxmox
check and set the VM-hardware network-interface(s) to 1 so these adopt the MTU of the connected network.
you can consider decreasing the MTU with 22 (now named
PMTU
)
configure : within OPNSense
[ for Suricata] under the 'advanced' section of the IPS service : check and/or clear default packet size (MTU) setting
setting the MTU here can affect detection reliability and 'drop' or 'conflate' frames on inspection, consider setting MTU-22
[ for Interfaces ]
check and/or clear MTU
settings for the monitored interfaces
OR
recommended is to set the
PMTU as value
important know that on non-enterprise network cards there may not be support for 'real' Jumbo frames which permits MTU >1500
Look up the specifications for the network interface cards (NIC) and do not set the MTU higher than the hardware supports, even if the MTU on the connecting switch is set to a much higher value.
[ for SYSTEM: SETTINGS: TUNABLES ] manually create the key
dev.netmap.bufsize
with value = <
PMTU
value>
this to work around issues with some NIC where MTU is not working well, so hard-set it here with this key
configure : optionally for OPNSense
[ for SYSTEM: SETTINGS: TUNABLES ] manually create the key dev.netmap.admode with value = 1this to avoid flapping between native and emulation state for the network interface
[ for Suricata] you can try set the MTU-22 as size for stability
Considerations
when the value for the MTU is cleared for an interface this defaults to 1500
consider this may severely impact IPS performance and/or accuracy
Resources
https://docs.opnsense.org/manual/ips.html
https://man.freebsd.org/cgi/man.cgi...eBSD+12.1-RELEASE+and+Ports#SUPPORTED_DEVICES
https://man.freebsd.org/cgi/man.cgi?vtnet
«
Last Edit: January 27, 2024, 10:07:54 pm by JL
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
[solved][how-to-fix] OPNSense with Suricata IPS service failure crash