Author Topic: LACP LAGG + Suricara (Read 1772 times)

dave · « **on:** September 21, 2021, 12:03:27 am »

If you've got a LAGG interface, would you run Suricata on the parent interfaces in promisc mode, or the LAGG in promisc mode?

mimugmail · « **Reply #1 on:** September 21, 2021, 06:19:40 am »

Shouldnt it be on lagg without promisc when not using vlans?

franco · « **Reply #2 on:** September 21, 2021, 12:49:14 pm »

I think running on LAGG is the way to going since we have native support for it, but Murat et al would know best...

Cheers,
Franco

dave · « **Reply #3 on:** September 21, 2021, 04:32:45 pm »

I am using vlans.
Judging from top and Suricata's logs it's filtering the parent int's. Also uses a lot less CPU time compared to running on it on the LAGG.
However, I was torrenting (Ubuntu... obviously) and the LAGG collapsed and OPNSense died, had to cycle the power.
I've look through the logs but, tbh, nothing stood out; but i'm not sure what words to filter with / where to start.
I'm running the ET Pro Tele rule-sets, but i've only got a few enabled.

dave · « **Reply #4 on:** September 23, 2021, 04:17:42 pm »

update on this. my internet connection keeled over just now. logged in to the GUI to find a huge memory leak, so had to cycle the power as even a reboot via serial wasnt working.

loggeg back in and thought i'd try switching Suricata from the igb's to lagg0 and found i can reliable get OPNSense to completly die within a minute with Suricata on the lagg.

i've got a copy of Putty's output if anyone's interested.

mimugmail · « **Reply #5 on:** September 23, 2021, 05:04:16 pm »

If you use VLANs and LAGG then I would go for selecting each vlan without promisc

Author Topic: LACP LAGG + Suricara (Read 1772 times)

dave

LACP LAGG + Suricara

mimugmail

Re: LAGG + Suricara

franco

Re: LAGG + Suricara

dave

RE: LACP LAGG + Suricara

dave

Re: LACP LAGG + Suricara

mimugmail

Re: LACP LAGG + Suricara