"
Hello everyone,
I'm seeking help with a complex Suricata issue where it fails to inspect traffic on a bridged interface, despite the service being active. I have performed extensive diagnostics and believe this is a driver/netmap incompatibility issue.
System & Hardware:
OPNsense: 25.7.1_1
CPU: Intel i5 (14th Gen)
RAM: 32 GB
NICs: 8 x Intel I226-V 2.5G ports (using the igc driver)
LAN Configuration: A bridge0 interface that combines 6 of the 8 physical ports, the other 2 ports are on pppoe with an ONT.
The Core Problem:
Suricata, in any mode (IDS/IPS) and on any bridged interface, fails to generate any alerts. The Alerts tab is always empty, even with standard tests like EICAR or nslookup testmyids.com. The top -aSH command shows the suricata process running but with near-zero CPU usage (<1%), confirming it is not inspecting packets.
Diagnostic Timeline & Tests Performed:
Initial Setup: Configured Suricata in IPS & Promiscuous mode, with ET Open and Abuse.ch rulesets, and a Policy set to "Alert". Hardware Offloading (CRC, TSO, LRO) is disabled. The Home networks variable is correctly configured.
WAN Interface Test: Attempted to run Suricata on the WAN (PPPoE) interfaces. The service started but no test alerts were generated.
LAN (Bridge) Interface Test: Switched inspection to the logical LAN interface (assigned to bridge0). No alerts.
SSH Diagnostics: The top command revealed that Suricata was attempting to attach to bridge0, even though this was not a selectable interface in the GUI.
Tunable Test: Added a system tunable dev.netmap.ad_default_if with the value bridge0. This did not change the outcome. (The tunable has since been removed).
Individual Physical Interface Test: Attempted to monitor all 6 physical member interfaces of the bridge. No alerts.
Manual Startup Test:
Manually starting Suricata with suricata --netmap=bridge0 fails instantly with the error: netmap:-0/xT: invalid empty port name.
The exact same error occurs when attempting to start on a single physical interface (e.g., igc3).
However, starting in legacy compatibility mode (suricata --pcap=bridge0) works without errors, proving the issue is specific to the netmap driver.
Final Verification: The issue persists even after updating OPNsense and performing a clean reinstall of the os-suricata plugin. The eve.json log shows that Suricata correctly attaches to bridge0 (even without the tunable) and sees basic traffic like SSH, but the rule engine never triggers an alert.
Question:
Given that this is a fatal netmap driver error with my Intel I226-V NICs (both on the bridge and on individual ports), is this a known bug? Is there a specific system tunable for the igc driver or netmap that could resolve this incompatibility?
Thank you in advance for any assistance.
I'm seeking help with a complex Suricata issue where it fails to inspect traffic on a bridged interface, despite the service being active. I have performed extensive diagnostics and believe this is a driver/netmap incompatibility issue.
System & Hardware:
OPNsense: 25.7.1_1
CPU: Intel i5 (14th Gen)
RAM: 32 GB
NICs: 8 x Intel I226-V 2.5G ports (using the igc driver)
LAN Configuration: A bridge0 interface that combines 6 of the 8 physical ports, the other 2 ports are on pppoe with an ONT.
The Core Problem:
Suricata, in any mode (IDS/IPS) and on any bridged interface, fails to generate any alerts. The Alerts tab is always empty, even with standard tests like EICAR or nslookup testmyids.com. The top -aSH command shows the suricata process running but with near-zero CPU usage (<1%), confirming it is not inspecting packets.
Diagnostic Timeline & Tests Performed:
Initial Setup: Configured Suricata in IPS & Promiscuous mode, with ET Open and Abuse.ch rulesets, and a Policy set to "Alert". Hardware Offloading (CRC, TSO, LRO) is disabled. The Home networks variable is correctly configured.
WAN Interface Test: Attempted to run Suricata on the WAN (PPPoE) interfaces. The service started but no test alerts were generated.
LAN (Bridge) Interface Test: Switched inspection to the logical LAN interface (assigned to bridge0). No alerts.
SSH Diagnostics: The top command revealed that Suricata was attempting to attach to bridge0, even though this was not a selectable interface in the GUI.
Tunable Test: Added a system tunable dev.netmap.ad_default_if with the value bridge0. This did not change the outcome. (The tunable has since been removed).
Individual Physical Interface Test: Attempted to monitor all 6 physical member interfaces of the bridge. No alerts.
Manual Startup Test:
Manually starting Suricata with suricata --netmap=bridge0 fails instantly with the error: netmap:-0/xT: invalid empty port name.
The exact same error occurs when attempting to start on a single physical interface (e.g., igc3).
However, starting in legacy compatibility mode (suricata --pcap=bridge0) works without errors, proving the issue is specific to the netmap driver.
Final Verification: The issue persists even after updating OPNsense and performing a clean reinstall of the os-suricata plugin. The eve.json log shows that Suricata correctly attaches to bridge0 (even without the tunable) and sees basic traffic like SSH, but the rule engine never triggers an alert.
Question:
Given that this is a fatal netmap driver error with my Intel I226-V NICs (both on the bridge and on individual ports), is this a known bug? Is there a specific system tunable for the igc driver or netmap that could resolve this incompatibility?
Thank you in advance for any assistance.
