Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
[solved][how-to-fix] OPNSense with Suricata IPS service failure crash
« previous
next »
Print
Pages: [
1
]
Author
Topic: [solved][how-to-fix] OPNSense with Suricata IPS service failure crash (Read 1545 times)
JL
Newbie
Posts: 42
Karma: 1
[solved][how-to-fix] OPNSense with Suricata IPS service failure crash
«
on:
January 15, 2024, 11:30:41 pm »
Please like or share a comment if this post is helpful or you have more questions.
This how-to-fix post to inform people on how Suricata crashes with OPNSense on Proxmox (any version) can be remediated. The advisories here may not be suitable for production environments, I trust you know this already.
SHORT FORM
specific to Proxmox
set
all bridge interfaces used for opnsense to the same MTU
(it may be required to set the bridge-if MTU to the physical inteface MTU-22)
use
the opnsense VM intefaces used for suricata
only with virtio network adapters
set
the network adapter MTU to 1 to adopt the bridge MTU from proxmox
in opnsense
, leave the MTU for the interface blank
in opnsense
, leave the MTU for suricata blank
in opnsense for Suricata
keep the MTU blank and disable promiscuous mode
in opnsense for Suricata
set the exact network masks configured for each interface, it may help to add remove networks to match the interfaces enable for Suricata
add the tunables:
>
set
net.devmap.bufsize to the value display for NS.MOREFRAG or to the MTU value of proxmo (trial and error)
>
set
the net.devmap.ad to 1
>
set
the ns.morefrag to the same as for net.defmap.bufsize
reboot
the VMsuricata should now be stable
Context
VM-hardware has Q35 chipset and uses virtio network interfaces.
The OPNSense host has qemu-guest-agent installed.
Indicator
(console output)
Jan 28 12:39:45 opnsense kernel: 385.664273 [2197] netmap_buf_size_validate error: large MTU (8192) needed but igb1 does not support NS_MOREFRAG
Assumption
This indicates MTU inconsistency when MTU is set >1500 on the bridge and this is 'broken' in-between the bridge and the IPS. To my understanding the network interfaces available on Proxmox are well supported by OPNSense.
For non-virtualised systems the issue may be the same. Check the MTU of the network, match the MTU of the network on the physical interfaces. Consider subtracting 22 from the MTU for compatibility.
Recommended is to check if
MTU on the bridge is >1500
configure : within Proxmox
check and set the VM-hardware network-interface(s) to 1 so these adopt the MTU of the connected network.
you can consider decreasing the MTU with 22 (now named
PMTU
)
configure : within OPNSense
[ for Suricata] under the 'advanced' section of the IPS service : check and/or clear default packet size (MTU) setting
setting the MTU here can affect detection reliability and 'drop' or 'conflate' frames on inspection, consider setting MTU-22
[ for Interfaces ]
check and/or clear MTU
settings for the monitored interfaces
OR
recommended is to set the
PMTU as value
important know that on non-enterprise network cards there may not be support for 'real' Jumbo frames which permits MTU >1500
Look up the specifications for the network interface cards (NIC) and do not set the MTU higher than the hardware supports, even if the MTU on the connecting switch is set to a much higher value.
[ for SYSTEM: SETTINGS: TUNABLES ] manually create the key
dev.netmap.bufsize
with value = <
PMTU
value>
this to work around issues with some NIC where MTU is not working well, so hard-set it here with this key
configure : optionally for OPNSense
[ for SYSTEM: SETTINGS: TUNABLES ] manually create the key dev.netmap.admode with value = 1this to avoid flapping between native and emulation state for the network interface
[ for Suricata] you
must consider
set the MTU-22 as size for stability
Considerations
when the value for the MTU is cleared for an interface this defaults to 1500
consider this may severely impact IPS performance and/or accuracy
Resources
https://docs.opnsense.org/manual/ips.html
https://man.freebsd.org/cgi/man.cgi...eBSD+12.1-RELEASE+and+Ports#SUPPORTED_DEVICES
https://man.freebsd.org/cgi/man.cgi?vtnet
«
Last Edit: June 13, 2024, 10:16:43 pm by JL
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
[solved][how-to-fix] OPNSense with Suricata IPS service failure crash