Hello,
I am running OPNsense 25.10.1_2 (Business) as a virtual machine (KVM/Proxmox) and am experiencing a reproducible issue with Suricata IPS in combination with Insight (flowd_aggregate).
Setup (simplified)- OPNsense running as a VM in ProxMox (9.1)
- Multiple WAN interfaces (Multi-WAN setup)
- Suricata enabled (for WAN interfaces only)
- Insight / Traffic graphs enabled
Observed behavior- With Suricata disabled → Insight and traffic graphs work normally.
- With IPS enabled + Promiscuous mode OFF → Insight works.
- With IPS enabled + Promiscuous mode ON →
Traffic graphs stop updating after ~1 minute
Insight data disappears
flowd_aggregate fails to start
I see that flowd_aggregate service does not start with:
"WARNING: failed to start flowd_aggregate
Unable to lock on the pidfile"
Is this a known limitation of Suricata IPS + Promiscuous mode on Multi-WAN, especially in virtualized environments?
Is there an official recommendation or roadmap regarding Insight compatibility with netmap/IPS in such setups?Thanks in advance for any clarification or confirmation
*update*
Looks like it has something to do with the queues setting on the configured VM interfaces in ProxMox. Still investigating...
ended up, having all WAN (1G) ports at queues=1 and all LAN (10G) ports at queues=2. I guess LAN ports could be set to 4 or 8, I just currently have no time for deeper tests and performance seems to be the same as before.
It made all working again. Especially having WAN ports at 4 I also had weird issues with gateway groups. Doesn't matter if load balancing or failover mode, there were connection issues (instable) to SSH targets.