Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata IPS on a LAGG WAN interface
« previous
next »
Print
Pages: [
1
]
Author
Topic: Suricata IPS on a LAGG WAN interface (Read 3594 times)
Dantichrist
Newbie
Posts: 31
Karma: 1
Suricata IPS on a LAGG WAN interface
«
on:
November 23, 2021, 03:02:18 am »
Hello,
I have tried everything that I can think of over the past few months to get this working properly. If I enable IPS my (lagg0)WAN interface will drop after around five to ten minutes. I can bounce the interface, and it will come back up but will go back down after five to ten minutes.
Hardware CRC, Hardware TSO, and Hardware LRO are all disabled. VLAN Hardware Filtering is set to disabled as well.
I've tried running all combinations of VLAN Hardware Filtering on/off, and Promiscuous mode on/off, and the WAN interface will go down every time. I have also tried using a "pass" policy for my CM1200 cable modem (192.168.100.1) in case it was something with that.
The LAGG interface works superbly, and is rock solid. It consistently tests out with ~1300Mbps down/~42Mbps up as long as IPS is off. It will also alert just fine with just IDS on.
When the interface goes down there is nothing that I can see in the suricata/system logs that give me any indication of what is causing it. Also the hardware can handle it easily with an i7 4590 with 16GB of RAM. I don't see any CPU, memory, or mbuff spikes. They all stay the same as it would with IPS off. All of my NICs are Intel 82576 (igb).
I have also tried it with RSS on and off and it makes no difference.
I'm just wondering if anyone else with a similar set up gotten this to work. It's not a huge issue for me but it's one of those things that keep coming back to that I'd like to solve, or at least understand what is causing it.
Thank you in advance for any ideas or info that you can share!
Logged
FullyBorked
Sr. Member
Posts: 343
Karma: 24
Re: Suricata IPS on a LAGG WAN interface
«
Reply #1 on:
November 23, 2021, 03:10:38 am »
I see you tested your aggregate group with IPS on and off. What about IPS without the aggregate? Does everything work ok there?
Logged
Dantichrist
Newbie
Posts: 31
Karma: 1
Re: Suricata IPS on a LAGG WAN interface
«
Reply #2 on:
November 23, 2021, 03:55:19 am »
Yes. IPS works fine if I run it with just a normal WAN interface without link aggregation.
«
Last Edit: November 23, 2021, 08:58:50 pm by Dantichrist
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata IPS on a LAGG WAN interface