Hello community,
I run opnsense [24.7.2] on Protectli Vault Pro VP2420 + zenarmor and have a very strange issue when I activate suricata IPS. Once activated it runs for a few seconds and then service crashes with the error below. IDS works fine, this happens only when I activate IPS mode.
Error suricata [104135] <Error> -- opening devname netmap:igc1-0/R@conf:host-rings=4 failed: Device busy
What I did so far to troubleshoot was to disable all hardware offloading incl. CRC, TSO & LRO but that only broke the connectivity and access to UI and internet was gone.
The interfaces I want to active IPS on are VLAN interfaces and physical WAN interface.
Any help with getting this work is appreciated!
Thanks,
N
With any HW offloading, it will NOT work. Deactivating that properly requires a reboot.
Deactivating HW offload and rebooting breaks the connectivity to internet and UI. I needed to login physically to firewall and stop the suricata service in order to access the UI again.
Uhm, no, it does not break any internet., You cannot use IPS with HW accelleration for reasons mentioned in the documentation (the netmap driver you can see in the error message you posted) - and that is the end of the story.
Quote from: klaxzygen on August 28, 2024, 07:24:59 PM
Deactivating HW offload and rebooting breaks the connectivity to internet and UI. I needed to login physically to firewall and stop the suricata service in order to access the UI again.
My 2cts (of a newbe going through the same problems for the past few days)
Seems that you have two problems, but you should be working on just one:
- Since you can't have HW offloading (CRC, TSO & LRO) and IPS (and even IDS on some mat'l) you have no choice but to keep them checked (disabled)
=> You should first work on that part, why is it breaking your connection ?
- Then start IDS, then start IPS