OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: aimdev on January 31, 2022, 12:44:15 pm

Title: Issue with Suricata and interface
Post by: aimdev on January 31, 2022, 12:44:15 pm

Started suricata in ids mode, interface em0 wan.

On the console (direct connection) got a lot of
arpresolver: cannot allocate llinfo for xxx.xxx.xxx.xxx on em0
link state went down then up twice before I disabled suricata.

Messages were not found in gui syslog, despite the syslog option enabled in suricata administration

NIC’s on the system are Intel.
Hardware options CRC/TSO/LRO are not disabled. (ie enabled)

Title: Re: Issue with Suricata and interface
Post by: franco on January 31, 2022, 01:49:45 pm

Normally cryptic "arpresolver: cannot allocate llinfo for xxx.xxx.xxx.xxx on em0" means your gateway lies outside the subnet of your assigned address on em0. Doesn't have anything to do with IDS.


Cheers,
Franco

Title: Re: Issue with Suricata and interface
Post by: aimdev on January 31, 2022, 04:10:55 pm

The gateway is on xxx.xxx.0.1, opnsense uses dhcp, with a locked address of xxx.xxx.0.64.
The mask is 255.255.255.0/24 (as set in the upstream device).
There are no errors when suricata is disabled.

One other factor is em0 is placed in to promiscuous mode when suricata is enabled, I assume this is normal.
This issue may have been present in earlier versions, however as the console is not connected to opnsense on a regular basis, only during upgrades, it would have been missed.
Also the missing logs is a bit of a concern, though I am happy to be corrected if I have missed something.

Title: Re: Issue with Suricata and interface
Post by: orzechszek on May 12, 2022, 09:19:48 pm

Hi,

I have such issue on 22.1.7_1
Updated from version 21.7.8

When suricata is is activated "link state changed to down/up" and "arpresolver: cannot allocate llinfo for xxx.xxx.xxx.xxx on em0" is constantly occuring, it's not a problem.
But the strangest thing - router became unstable, GUI unaccessible because computer is loosing wifi connection when intrusion detection is enabled.
Everything disappear when suricata is disabled.
Is it possible that IDS cause such problems?

Title: Re: Issue with Suricata and interface
Post by: franco on May 13, 2022, 07:58:02 am

Might be a driver issue with MAC spoofing as suggested by others.


Cheers,
Franco

Title: Re: Issue with Suricata and interface
Post by: orzechszek on July 06, 2022, 10:39:47 pm

Hi,

Is this issue solved?

Title: Re: Issue with Suricata and interface
Post by: crissi on July 07, 2022, 03:32:00 pm

Hi,

updated to 22.1.9 today, have Standard Intel I211 Interfaces in my Box, and have this issue still as well...

Would also be interrested how to get this solved???