So far I had Suricata working correctly on Wan but I have changed internet provider and use ppoe. I have created the corresponding ppoe VLAN assigned to Wan and I have configured the Wan interface with ppoe with user - password. In interface assignments I have assigned the VLAN ppoe created earlier to Wan. With this configuration I have access to the internet without any problems. The problem is that Suricata in Wan does not work even if I put the Wan ip that I have assigned something that before if it worked perfectly, with that it does not work I mean that it does not block absolutely nothing, it is as if it did not recognise the interface. So that it recognizes it in interface assignments I have to put Wan in igb xxxxxx and create a new virtual interface for ppoe.
IPS (netmap) won't work - https://forum.opnsense.org/index.php?topic=33012.0
IDS needs "promiscuous" enabled.
check my post here (both IPS and IDS are working now)
https://forum.opnsense.org/index.php?topic=38140.0 (https://forum.opnsense.org/index.php?topic=38140.0)
the main issue of Suricata failing or not failing are MTU inconsistencies
There's a typical overhead (8 bytes for Windows / 22 bytes for Linux) to consider but bridges and ppp also add overhead.
So, if you start with the default MTU of 1500 (1518) or have jumbo frames (<=9000 MTU) this will have great effect.
I can say with confidence this approach works. Suricata is now up 100% of the time since 24 hours.