Error with IPS activation

[klaxzygen]

Hello community,

I run opnsense [24.7.2] on Protectli Vault Pro VP2420 + zenarmor and have a very strange issue when I activate suricata IPS. Once activated it runs for a few seconds and then service crashes with the error below. IDS works fine, this happens only when I activate IPS mode.

Code Select Expand

Error suricata [104135] <Error> -- opening devname netmap:igc1-0/R@conf:host-rings=4 failed: Device busy

What I did so far to troubleshoot was to disable all hardware offloading incl. CRC, TSO & LRO but that only broke the connectivity and access to UI and internet was gone.

The interfaces I want to active IPS on are VLAN interfaces and physical WAN interface.

Any help with getting this work is appreciated!

Thanks,
N

[doktornotor]

With any HW offloading, it will NOT work. Deactivating that properly requires a reboot.

[klaxzygen]

Deactivating HW offload and rebooting breaks the connectivity to internet and UI. I needed to login physically to firewall and stop the suricata service in order to access the UI again.

[doktornotor]

Uhm, no, it does not break any internet., You cannot use IPS with HW accelleration for reasons mentioned in the documentation (the netmap driver you can see in the error message you posted) - and that is the end of the story.

[MarieSophieSG]

Deactivating HW offload and rebooting breaks the connectivity to internet and UI. I needed to login physically to firewall and stop the suricata service in order to access the UI again.

My 2cts (of a newbe going through the same problems for the past few days)
Seems that you have two problems, but you should be working on just one:

- Since you can't have HW offloading (CRC, TSO & LRO) and IPS (and even IDS on some mat'l) you have no choice but to keep them checked (disabled)
=> You should first work on that part, why is it breaking your connection ?

- Then start IDS, then start IPS