Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
LACP LAGG + Suricara
« previous
next »
Print
Pages: [
1
]
Author
Topic: LACP LAGG + Suricara (Read 5793 times)
dave
Jr. Member
Posts: 74
Karma: 5
LACP LAGG + Suricara
«
on:
September 21, 2021, 12:03:27 am »
If you've got a LAGG interface, would you run Suricata on the parent interfaces in promisc mode, or the LAGG in promisc mode?
«
Last Edit: September 21, 2021, 04:35:43 pm by dave
»
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: LAGG + Suricara
«
Reply #1 on:
September 21, 2021, 06:19:40 am »
Shouldnt it be on lagg without promisc when not using vlans?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
franco
Administrator
Hero Member
Posts: 17657
Karma: 1611
Re: LAGG + Suricara
«
Reply #2 on:
September 21, 2021, 12:49:14 pm »
I think running on LAGG is the way to going since we have native support for it, but Murat et al would know best...
Cheers,
Franco
Logged
dave
Jr. Member
Posts: 74
Karma: 5
RE: LACP LAGG + Suricara
«
Reply #3 on:
September 21, 2021, 04:32:45 pm »
I am using vlans.
Judging from top and Suricata's logs it's filtering the parent int's. Also uses a lot less CPU time compared to running on it on the LAGG.
However, I was torrenting (Ubuntu... obviously) and the LAGG collapsed and OPNSense died, had to cycle the power.
I've look through the logs but, tbh, nothing stood out; but i'm not sure what words to filter with / where to start.
I'm running the ET Pro Tele rule-sets, but i've only got a few enabled.
«
Last Edit: September 21, 2021, 04:37:00 pm by dave
»
Logged
dave
Jr. Member
Posts: 74
Karma: 5
Re: LACP LAGG + Suricara
«
Reply #4 on:
September 23, 2021, 04:17:42 pm »
update on this. my internet connection keeled over just now. logged in to the GUI to find a huge memory leak, so had to cycle the power as even a reboot via serial wasnt working.
loggeg back in and thought i'd try switching Suricata from the igb's to lagg0 and found i can reliable get OPNSense to completly die within a minute with Suricata on the lagg.
i've got a copy of Putty's output if anyone's interested.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: LACP LAGG + Suricara
«
Reply #5 on:
September 23, 2021, 05:04:16 pm »
If you use VLANs and LAGG then I would go for selecting each vlan without promisc
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
chris.walker01
Newbie
Posts: 8
Karma: 0
Re: LACP LAGG + Suricara
«
Reply #6 on:
June 24, 2023, 07:56:56 am »
Doesn't the documenation explicitly say not to do this?
Logged
sepahewe
Newbie
Posts: 10
Karma: 2
Re: LACP LAGG + Suricara
«
Reply #7 on:
December 07, 2023, 03:02:04 pm »
I ran into similar issue.
I have VLANs on a LAGG and I want to enable IDP, but when I do network connectivity stops. The log shows:
Code:
[Select]
generic netmap attach emulated adapter for lagg0 created
and a bit of googling seems to suggest that the LAGG driver doesn't support netmap which causes the issue. I then tried to enable it directly on the PHY-interfaces, but they are not visible in Suricata and I can't assign them in Interfaces as they are busy due to the LAGG.
Edit: I'm running 23.7.9
«
Last Edit: December 07, 2023, 03:05:17 pm by sepahewe
»
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1597
Karma: 176
Re: LACP LAGG + Suricara
«
Reply #8 on:
December 07, 2023, 05:29:41 pm »
I'm running Suricata on a lagg with vlans. Here is my configuration. I'm also on the latest Opnsense version. Please note that all of my VLANs are tagged and I don't use any untagged ones. The untagged parent interfaces and the untagged lagg0 are disabled and
not
assigned in "Interfaces: Assignments".
Example:
Interfaces: Other Types: VLAN
Device: vlan0.1
Parent: lagg0
VLAN tag: 1
Description: vlan0.1
Device: vlan0.12
Parent: lagg0
VLAN tag: 12
Description: vlan0.12
Interfaces:
Identifier: opt1
Device: vlan0.1
Description: lagg0_vlan1_LAN
Identifier: opt12
Device: vlan0.12
Description: lagg0_vlan12_DMZ
Interfaces: Other Types: LAGG
Device: lagg0
Parent: ax0
Proto: lacp
Fast timeout: yes
Use flowid: default
Hash Layers: L3
use strict: default
MTU:
Description: lagg0
Services: Intrusion Detection: Administration
Enabled: Yes
IPS mode: Yes
Promiscious mode: Yes
Pattern matcher: Hyperscan
Interfaces: lagg0_vlan1_LAN, lagg0_vlan12_DMZ
«
Last Edit: December 07, 2023, 05:34:44 pm by Monviech
»
Logged
Hardware:
DEC740
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
LACP LAGG + Suricara