I'm currently deploying OPNsense in transparent bridge mode between a Mikrotik router (as trunk port) and a Palo Alto firewall (L3), with Suricata enabled for IDS/IPS. Everything works fine in IDS mode, but I encounter major issues when enabling IPS mode.
System Configuration
· Device model [PowerEdge R750]
· OPNsense Version: [OPNsense 25.1.11-amd64]
· FreeBSD 14.2-RELEASE-p4
· OpenSSL 3.0.17
· Suricata: Latest package from UI
· Mode: Transparent bridge (bridge0) inspecting trunked VLANs
· Interfaces: Only bridge0 selected for Suricata
· Pattern Matcher: Hyperscan
· Hardware: [e.g., 80cores, 2048 GB RAM, Broadcom NICs*8]
Intel(R) Xeon(R) Platinum 8380 CPU @ 2.30GHz (80 cores, 160 threads)
Broadcom Gigabit Ethernet BCM5720
Broadcom Adv. Dual 25Gb Ethernet
Broadcom Adv. Dual 25Gb Ethernet
Broadcom Adv. Dual 25Gb Ethernet
· Filesystem: ZFS (ARC limited via vfs.zfs.arc_max loader tunable)
What Works
· IDS mode runs normally, logs alerts, no packet loss
· Netmap bindings pass correctly
· Bridge is transparent and VLANs reach the firewall
Problems in IPS Mode
1. All outbound traffic is blocked when IPS is enabled, even with all rules set to Alert.
2. Netmap startup errors before ARC tuning: netmap:bridge0/R failed: Cannot allocate memory
3. Flowbit dependency warnings, e.g., flowbit 'ET.BunnyLoader.Checkin' is checked but not set
4. Suricata rule parsing errors, e.g., content:"|5C 5C 0A 5C 5C 0A ...
5. Queue exhaustion runtime errors: Just ran out of space in the queue. Please file a bug report on this
6. Suricata starts but silently drops traffic, even with no DROP rules applied
What I've Tried So Far
· Limited ARC cache via loader tunable (vfs.zfs.arc_max=1073741824)
· Disabled all non-critical rule categories (e.g., shellcode, voip, inappropriate)
· Disable Firewall Filtering caused
· Deny by the default rules
· Forced all rules to Alert via policy with priority 1
· Reduced dev.netmap.buf_num to 65536
· Confirmed Suricata binds only to bridge0 in IPS mode
· Disabled ClamAV, Zenarmor, and background services
· Installed swap file to ensure system has headroom
· Used Hyperscan as pattern matcher where supported
Assistance Requested
Is there a known bug or limitation when using Suricata IPS in bridge mode with VLAN trunks on OPNsense?
Are there specific driver/kernel or netmap constraints I should consider?
How can I debug or trace netmap drops in more detail?
Can you confirm whether this is a Suricata limitation, a netmap issue, or policy misbehavior?