LACP LAGG + Suricara

Started by dave, September 21, 2021, 12:03:27 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 21, 2021, 12:03:27 AM Last Edit: September 21, 2021, 04:35:43 PM by dave
If you've got a LAGG interface, would you run Suricata on the parent interfaces in promisc mode, or the LAGG in promisc mode?
September 21, 2021, 06:19:40 AM #1
Shouldnt it be on lagg without promisc when not using vlans?
September 21, 2021, 12:49:14 PM #2
I think running on LAGG is the way to going since we have native support for it, but Murat et al would know best...


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
September 21, 2021, 04:32:45 PM #3 Last Edit: September 21, 2021, 04:37:00 PM by dave
I am using vlans.
Judging from top and Suricata's logs it's filtering the parent int's.  Also uses a lot less CPU time compared to running on it on the LAGG.
However, I was torrenting (Ubuntu... obviously) and the LAGG collapsed and OPNSense died, had to cycle the power.
I've look through the logs but, tbh, nothing stood out; but i'm not sure what words to filter with / where to start.
I'm running the ET Pro Tele rule-sets, but i've only got a few enabled.
September 23, 2021, 04:17:42 PM #4
update on this.  my internet connection keeled over just now.  logged in to the GUI to find a huge memory leak, so had to cycle the power as even a reboot via serial wasnt working.

loggeg back in and thought i'd try switching Suricata from the igb's to lagg0 and found i can reliable get OPNSense to completly die within a minute with Suricata on the lagg.

i've got a copy of Putty's output if anyone's interested.
September 23, 2021, 05:04:16 PM #5
If you use VLANs and LAGG then I would go for selecting each vlan without promisc
June 24, 2023, 07:56:56 AM #6
Doesn't the documenation explicitly say not to do this?
December 07, 2023, 03:02:04 PM #7 Last Edit: December 07, 2023, 03:05:17 PM by sepahewe
I ran into similar issue.

I have VLANs on a LAGG and I want to enable IDP, but when I do network connectivity stops. The log shows:
Code Select
generic netmap attach emulated adapter for lagg0 created

and a bit of googling seems to suggest that the LAGG driver doesn't support netmap which causes the issue. I then tried to enable it directly on the PHY-interfaces, but they are not visible in Suricata and I can't assign them in Interfaces as they are busy due to the LAGG.

Edit: I'm running 23.7.9
December 07, 2023, 05:29:41 PM #8 Last Edit: December 07, 2023, 05:34:44 PM by Monviech
I'm running Suricata on a lagg with vlans. Here is my configuration. I'm also on the latest Opnsense version. Please note that all of my VLANs are tagged and I don't use any untagged ones. The untagged parent interfaces and the untagged lagg0 are disabled and not assigned in "Interfaces: Assignments".

Example:

Interfaces: Other Types: VLAN
Device: vlan0.1
Parent: lagg0
VLAN tag: 1
Description: vlan0.1

Device: vlan0.12
Parent: lagg0
VLAN tag: 12
Description: vlan0.12

Interfaces:
Identifier:    opt1
Device:    vlan0.1
Description: lagg0_vlan1_LAN

Identifier:    opt12
Device:    vlan0.12
Description: lagg0_vlan12_DMZ

Interfaces: Other Types: LAGG
Device: lagg0
Parent: ax0
Proto: lacp
Fast timeout: yes
Use flowid: default
Hash Layers: L3
use strict: default
MTU:
Description: lagg0

Services: Intrusion Detection: Administration
Enabled: Yes
IPS mode: Yes
Promiscious mode: Yes
Pattern matcher: Hyperscan
Interfaces: lagg0_vlan1_LAN, lagg0_vlan12_DMZ

Hardware:
DEC740
Print
Go Up Pages1
User actions