Messages

Hardware is https://protectli.com/product/v1410/

Its my home fw so on a gig pipe its prob 10m sustained over 24hrs and all my traffic flows through suricata

@danderson just to be sure what hardware are you using and how much traffic are you pushing on average through Suricata?


Cheers,
Franco

Increasing the buffer size for netmap appears to have resolved the issue I was having

dev.netmap.buf_size From 4096 to 8192

I just applied it to 2 other FWs that are not using netmap as VLANs are on the core router/switch, using a difference nic (ice) and no errors or issues, lots of traffic and things showing up in the IPS logs like normal.

So appears to be netmap issue more and more.

Ok, FWIW, I also used igc and it worked for my WAN letting packets pass through normally.

I'll try to chase netmap changes on their end to see if something got optimised that should not have.


Thanks,
Franco

Yes, IPS always on in 7.0.12 and no changes in config, just applied the update package and restarted the service.  Right now i have it running in IDS and so far so good, thats the only change.

Thanks so far... first things first you can always go back with

# opnsense-revert suricata

About Netmap it could be that RAM requirement incresed looking at the error, but the question is if you normally use IPS mode and if it works with current 7.0.12?

I think you can ignore the packages messages during install. The zero copy one is a very old note.


Cheers,
Franco

So far IDS still ok, but went over the logs while in IPS and things broke, here is what I saw.

Still had plenty of RAM avail on opnsense.

Code Select Expand

2025-10-10T06:24:29-06:00Errorsuricata[758314] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:24:29-06:00Errorsuricata[758314] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:24:29-06:00Errorsuricata[758314] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:24:29-06:00Errorsuricata[758324] <Error> -- igc1^: error reading netmap data via polling: No buffer space available
2025-10-10T06:24:29-06:00Errorsuricata[758324] <Error> -- igc1^: error reading netmap data via polling: No buffer space available
2025-10-10T06:24:29-06:00Errorsuricata[758324] <Error> -- igc1^: error reading netmap data via polling: No buffer space available
2025-10-10T06:14:41-06:00Errorsuricata[758141] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758314] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758119] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758138] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758165] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758327] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758312] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758183] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758165] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758141] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758163] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758325] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758141] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758323] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758308] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758313] <Error> -- igc1^: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758315] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758309] <Error> -- igc1: error reading netmap data via polling: No error: 0
2025-10-10T06:14:41-06:00Errorsuricata[758315] <Error> -- igc1: error reading netmap data via polling: No error: 0

IPS mode gave me an immediate block on all traffic, testing IDS now, so far so good. I am using VLANs and have Promiscuous mode enabled aka netmap.  Unknown why IPS blocked everything, will test over the next few days to see if i can narrow it down. Not the same issue going from suricata 6 to 7 with the exception-policy: ignore setting, as the config setting still exists.

I did see in the install notes that many settings need to be added to /etc/rc.conf and I dont see that file or in any rc.conf when searching the system.

Did not TRY yet adding the following in Tunables
You may want to try BPF in zerocopy mode to test performance improvements:

        sysctl -w net.bpf.zerocopy_enable=1

opnsense-revert -z suricata
installed successfully, restarted the service, testing now. WIll keep you updated of any issues.

opnsense-revert -z suricata
installed successfully, restarted the service, testing now. WIll keep you updated of any issues.

Ooops, should have been opnsense-revert. Sorry about that. When you don't use AI to write your stuff...


Cheers,
Franco

root@router:~ # opnsense-update -z suricata
Usage: man opnsense-update

gives me en error and doenst install on 25.7.5

Also Thx to Patrick, the override and then re-apply in the service under qfeeds re-populated the alias with info.  As i was also getting the rate limiting error.
exit with HTTPError 429 (Rate limit exceeded. Please try again later.)

Don't try to get another key - you can activate an override of 5 minutes for your existing one.

[Done this far:]

Im open for testing this, i have 3 diff firewalls with varying levels and types of traffic.

The enthusiasm and amount of feedback positively overwhelmed us, thank you so much!
To give an overview of what we did with your feedback this far:

Done this far:

• Improved the documentation
• Realigned text and screenshots
• Improved text
• Added and updated screenshots for more clarity
• Added False Positive reporting functionality to the TIP
• Including tracking and notifications
• Added possibility to add descriptions with API-token
• Fixed a lot of bugs:
• TIP reports page
• TIP Company details page
• TIP Account details page
• Multiple textual improvements
• Improved color scheme dark/light mode
• TIP Account details page
• + some more

Still on the feedback list:

• Plugin
• Better error handling rate limit notification
• Better error handling expired license notice
• Ability to set refresh rate
• Ability to set number of IOC limit
• Add support DNS/URL natively
• Whitelist functionality
• Improve reporting on hits
• Auto deploy floating rules
• Give the plugin a separate 'security' category in the menu instead of 'services'
• Integrate TIP functionality with plugin (not likely to happen)
• Widget:
• Improve overall look and feel
• Add stats like top talkers, next update etc.
• TIP
• Consider limited amount of lookups for Community version
• + many many more ;)

We can't promise timelines for all items, but we'll do our best to address as many as possible as soon as we can. This list mainly reflects the feedback we've received so far. It's not a complete overview, there's still a lot more great stuff coming up.

The call for testers is still open and if you have anything to add, let us know!

can confirm upgrade to 25.7.1 then opnsense-patch b440c12 resolved the issue for me with all my IPSEC tunnels

Not sure if this only applies to my issue or larger, but after update to 25.7.1 all working well, I went to recycle strongswan and afterwards the config for all my ipsec tunnels were not reading / showing properly and would not connect.   As soon as I reverted back to 25.7 and recycled strongswan again, all appeared correctly and connected.   the widget showed no phase 1 when broken on 25.7.1, as it appears to be how it was parsing the config file, it may be larger than just the ipsec issue that I had.

I thought the release post means that the upgrade was live. That's all, that doesn't appear to be the case here.

Trying to upgrade from 25.1.12 and it says that it's all up to date. Unable to upgrade to 25.7.1

after applying the patch and reloading the filer

i was able to get back on my regular lan's now and the portal isnt running/redirecting on all interfaces anymore, but when trying on the interface with the portal, the portal page never comes up / gets redirected.