Hello,
I am running OPNsense 25.10.1_2 (Business) as a virtual machine (KVM/Proxmox) and am experiencing a reproducible issue with Suricata IPS in combination with Insight (flowd_aggregate).
Setup (simplified)- OPNsense running as a VM in ProxMox (9.1)
- Multiple WAN interfaces (Multi-WAN setup)
- Suricata enabled (for WAN interfaces only)
- Insight / Traffic graphs enabled
Observed behavior- With Suricata disabled → Insight and traffic graphs work normally.
- With IPS enabled + Promiscuous mode OFF → Insight works.
- With IPS enabled + Promiscuous mode ON →
Traffic graphs stop updating after ~1 minute
Insight data disappears
flowd_aggregate fails to start
I see that flowd_aggregate service does not start with:
"WARNING: failed to start flowd_aggregate
Unable to lock on the pidfile"
Is this a known limitation of Suricata IPS + Promiscuous mode on Multi-WAN, especially in virtualized environments?
Is there an official recommendation or roadmap regarding Insight compatibility with netmap/IPS in such setups?Thanks in advance for any clarification or confirmation
*update*
Looks like it has something to do with the queues setting on the configured VM interfaces in ProxMox. Still investigating...