OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: XeroX on August 04, 2022, 06:50:21 pm
-
Hello,
I'm facing the following problem with Suricata with 22.7. Hardware offloading is off. I set VLAN Filtering to "Leave Default" prior the update.
Interfaces:
WAN = PPPoE on igb0
MODEMACCESS = igb0
LAN = igb1
VLAN1, VLAN2 = Child of igb1
Suricata is configured in Promiscous and IPS Mode to LAN and MODEMACCESS as those are the physical interfaces. LAN because I want to see which machines maybe compromised and communicating to the internet. However it worked flawless with 22.1.
After the update. VLANs are not reachable when Suricata is running. No settings changed.
Stats for 'igb0': pkts: 78997, drop: 0 (0.00%), invalid chksum: 0
Stats for 'igb0^': pkts: 84275, drop: 0 (0.00%), invalid chksum: 0
Stats for 'igb1': pkts: 102971, drop: 0 (0.00%), invalid chksum: 0
Stats for 'igb1^': pkts: 107821, drop: 0 (0.00%), invalid chksum: 0
Switching to MODEMACCESS only. Seems to work but it doesnt. emergering_user_agents ruleset is enabled and added to the Policy. But # curl -A "BlackSun" www.google.com results in nothing although it should be blocked. It does work when adding LAN again BUT VLANs stop working. In general I question the use of IPS on WAN interface?!
Stats for 'igb0': pkts: 3342, drop: 0 (0.00%), invalid chksum: 0
Stats for 'igb0^': pkts: 4858, drop: 0 (0.00%), invalid chksum: 0
Any advices? I can life with not IPS on LAN, but it does not work on WAN physical interface. This renders IPS pretty useless for me.
I downgraded to 6.0.5 as well without improvement.
Is this related to the merge of EM and IGB Driver in 13.1?
https://www.freebsd.org/cgi/man.cgi?query=em&apropos=0&sektion=4&manpath=FreeBSD+13.1-RELEASE+and+Ports&arch=default&format=html
https://www.freebsd.org/cgi/man.cgi?query=netmap