Suricata - Divert (IPS)

Started by xpendable, January 30, 2026, 01:40:00 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 30, 2026, 01:40:00 AM Last Edit: January 30, 2026, 03:39:14 AM by xpendable
So I just upgraded to 26.1 and migrated the firewall rules over as well (don't have many) and everything went over smoothly with no issues.

However I was wondering about the new Divert (IPS) capture mode as the documents state that a firewall rule is needed in the new rules section. If you select this capture mode, will a new firewall rule by auto generated for it?

Also as a side question, if you diverted all WAN traffic for inspection anyway... would there be any benefit from Netmap (IPS) mode?

EDIT:
Well I just went ahead and enabled it, and basically answered my own questions :)

No rule is created automatically, so after setting suricata to Divert (IPS) mode with 8 listeners (8 CPUs) I created a new rule on the WAN interface just below the Q-Feeds rule to pass all incoming traffic to Intrusion Protection. Works as expected, and I suppose it's probably more efficient since it's using PF and coming after the Q-Feeds rule. No sense in inspecting blocked traffic.

However I noticed that after doing so the "Interface" in the Intrusion Protection Alerts page is blank, makes sense... but is there a way in the future to pull this information from the firewall rule?
January 30, 2026, 07:07:32 AM #1
Hello, please open an issue on github asking about the interface in suricata when divert is used. Its easier to track, thank you.

https://github.com/opnsense/core/issues
Hardware:
DEC740
January 30, 2026, 05:09:29 PM #2
Issue has been created as requested.

Another upside to using Divert (IPS) mode, the memory consumption has been cut in half since Netmap is no longer being used :)
January 30, 2026, 05:14:36 PM #3
What might also be a benefit is compatibility and stability with VM network interfaces as you dont have to use the emulated netmap driver anymore (the high performance native netmap driver requires intel network cards to work correctly most of the time).
Hardware:
DEC740
Today at 12:22:19 AM #4
That's true, my OPNsense runs as a VM on XCP-ng, however I use SR-IOV with Intel X710 NICs. So never had an issue with using Netmap, but using the Divert method is way more efficient on memory usage. I have 16GB of memory allocated and before the memory would typically sit at 40-50% usage. I just checked and it's now down to about 10%. Will probably reduce the memory allocation in the near future as the system obviously doesn't need it anymore.
Today at 09:21:22 AM #5
Thanks for taking the lead. I just followed you and set intrusion detection from netmap to the new divert rule.
So far so good.
Curious about your choice to have it on incoming WAN instead of LAN?
Deciso DEC850v2
Print
Go Up Pages1
User actions