Bug Report: Creating new VLANs with Suricata enabled

[davidsenk]

Good Morning,

Several months ago I ran into an issue on my opnsense firewall. I noticed that "sometimes" I would be unable to create new VLANs without rebooting the host device.

The host device has an Intel I226-V 4 port NIC on it. I chalked it up to likely be a known incompatibility with this NIC (example with more info: https://forum.opnsense.org/index.php?topic=38055.0)

Recently - I redeployed this firewall as a high availability pair. This new pair has Intel X540-AT2 2 port NICs on them. The X540 appears to be *far* better supported without any known issues (that I can find) https://bsd-hardware.info/?id=pci:8086-1528-15d9-1528

Symptoms of bug:

Using tcpdump or similar:

When creating a new VLAN interface and enabling it with IP address configured, the interface is unable to communicate to any other hosts on the same VLAN.

When viewing traffic on the VLAN interface from the opnsense host the ARP packets are observed as being sent.

When viewing traffic on the switch (or any other host on the same VLAN), the ARP packets are observed as being sent by opnsense. From the switch (or ping target host), it can also be observed that ARP packets are being sent back to opnsense.

When viewing traffic on the VLAN interface on opnsense the response packets are never received. When viewing traffic on the master interface for the VLAN the responses are received (and tagged correctly), but are never received by the VLAN interface.

When viewing dmesg, or the serial console, the following are printed as long as traffic is being directed towards opnsense on the newly created VLAN interface:

Code Select Expand

**REPEATING INFINITELY**
056.634313 [ 323] freebsd_generic_rx_handler Warning: RX packet intercepted, but no emulated adapter
pfr_update_stats: assertion failed.
pfr_update_stats: assertion failed.
pfr_update_stats: assertion failed.
pfr_update_stats: assertion failed.
057.651332 [ 323] freebsd_generic_rx_handler Warning: RX packet intercepted, but no emulated adapter
pfr_update_stats: assertion failed.
pfr_update_stats: assertion failed.
pfr_update_stats: assertion failed.
pfr_update_stats: assertion failed.
058.331450 [ 323] freebsd_generic_rx_handler Warning: RX packet intercepted, but no emulated adapter
059.671444 [ 323] freebsd_generic_rx_handler Warning: RX packet intercepted, but no emulated adapter
060.686962 [ 323] freebsd_generic_rx_handler Warning: RX packet intercepted, but no emulated adapter
061.131317 [ 323] freebsd_generic_rx_handler Warning: RX packet intercepted, but no emulated adapter
**REPEATING INFINITELY**

Disabling and re-enabling the VLAN interface does not restore connectivity.

Rebooting the opnsense device does restore connectivity.

Alternatively: Disabling the suricata service entirely, disabling the newly created VLAN interface, and reenabling the newly creating VLAN interface also restores connectivity; however, this is not 100% reliable, sometimes this does not work, still requiring a reboot.

Full reproduction steps:

WITH Suricata enabled in IDS AND Promiscuous Mode on the master interface for the VLANs (as recommended for use with VLANs) - https://docs.opnsense.org/manual/ips.html

when using VLAN's, enable IPS on the parent

Create a new VLAN interface and attach to parent

Assign interface and configure IP address settings

Attempt to communicate with other hosts on the VLAN

Communication fails

EITHER: Reboot opnsense node, or disable suricata and disable / enable new VLAN interface (not 100% reliable).

Communication now works

EXCEPTION: When reenabling suricata WITHOUT a reboot, communication will again cease to function AND the error messages on console / dmesg return. A reboot is required to fully restore all expected functionality.

WORKAROUND: To keep suricata enabled and for network protection when adding new VLANs, ensure the CARP is setup properly for all gateway addresses for the VLANs.

Temporarily disable CARP to gracefully failover to the backup system

Reboot master

All VLANs and Suricata will be working as expected after reboot.

FINAL NOTES

I hope that this provide enough clarity to fix the issue. This has persisted since at least 24.1.9_4 and is still existing on 24.7.10_2

Thanks

[dirtyfreebooter]

i just ran into this with 24.10.1 business edition and zenarmor. added a new vlan interface, then

Code Select Expand

122.184495 [ 323] freebsd_generic_rx_handler Warning: RX packet intercepted, but no emulated adapter
123.261472 [ 323] freebsd_generic_rx_handler Warning: RX packet intercepted, but no emulated adapter
124.043962 [ 323] freebsd_generic_rx_handler Warning: RX packet intercepted, but no emulated adapter
125.057202 [ 323] freebsd_generic_rx_handler Warning: RX packet intercepted, but no emulated adapter
126.057326 [ 323] freebsd_generic_rx_handler Warning: RX packet intercepted, but no emulated adapter
127.108129 [ 323] freebsd_generic_rx_handler Warning: RX packet intercepted, but no emulated adapter
128.057185 [ 323] freebsd_generic_rx_handler Warning: RX packet intercepted, but no emulated adapter

supermicro 1u + i350-t4 nic

tried restart zenarmor, but same results. disabling the vlan interface stops the messages and connectivity issues.

i haven't tried a full reboot yet.

i tried a full reboot, had a supermicro firmware update i needed to apply anyways. and after reboot no messages and new vlan network is working.