Hello everyone,
Running OPNsense 26.1.5 as a Proxmox VM with virtio network interfaces. Suricata Divert (IPS) mode generates zero traffic inspection despite active network traffic and correctly configured firewall rules.
Configuration:
OPNsense 26.1.5, Proxmox 8.x, virtio NICs (vtnet0/vtnet1)
All hardware offloading disabled
Divert-to firewall rule created in new GUI on WAN interface
ipfw_load="YES" and ipdivert_load="YES" in /boot/loader.conf.local
Verified via shell:
sockstat shows 4 divert sockets on port 8000 active
ipfw list shows no divert rules generated
suricata.yaml contains netmap section but no ipfw section regardless of capture mode setting
Root cause identified:
The template /usr/local/opnsense/service/templates/OPNsense/IDS/suricata.yaml does not generate an ipfw section when Divert mode is selected. Suricata opens divert sockets correctly but ipfw never receives rules to divert traffic because pf processes all traffic before ipfw on this configuration.
Workaround: PCAP live mode (IDS) works correctly.
Has anyone solved this on a VM environment? Is there a known working configuration for Divert mode on Proxmox virtio?
> Root cause identified:
Well, the root cause is the analysis is based on the fact that divert rules are in ipfw, but they are in pf:
> Divert-to firewall rule created in new GUI on WAN interface
;)
Cheers,
Franco