IPS Block the Bridge Traffic

Started by Nibras Al-Afoun, July 21, 2025, 10:57:23 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 21, 2025, 10:57:23 AM
I'm currently deploying OPNsense in transparent bridge mode between a Mikrotik router (as trunk port) and a Palo Alto firewall (L3), with Suricata enabled for IDS/IPS. Everything works fine in IDS mode, but I encounter major issues when enabling IPS mode.

System Configuration

·         Device model [PowerEdge R750]

·         OPNsense Version: [OPNsense 25.1.11-amd64]

·         FreeBSD 14.2-RELEASE-p4

·         OpenSSL 3.0.17

·         Suricata: Latest package from UI

·         Mode: Transparent bridge (bridge0) inspecting trunked VLANs

·         Interfaces: Only bridge0 selected for Suricata

·         Pattern Matcher: Hyperscan

·         Hardware: [e.g., 80cores, 2048 GB RAM, Broadcom NICs*8]

Intel(R) Xeon(R) Platinum 8380 CPU @ 2.30GHz (80 cores, 160 threads)

Broadcom Gigabit Ethernet BCM5720

Broadcom Adv. Dual 25Gb Ethernet

Broadcom Adv. Dual 25Gb Ethernet

Broadcom Adv. Dual 25Gb Ethernet

·         Filesystem: ZFS (ARC limited via vfs.zfs.arc_max loader tunable)

What Works

·         IDS mode runs normally, logs alerts, no packet loss

·         Netmap bindings pass correctly

·         Bridge is transparent and VLANs reach the firewall

Problems in IPS Mode

1.      All outbound traffic is blocked when IPS is enabled, even with all rules set to Alert.

2.      Netmap startup errors before ARC tuning: netmap:bridge0/R failed: Cannot allocate memory

3.      Flowbit dependency warnings, e.g., flowbit 'ET.BunnyLoader.Checkin' is checked but not set

4.      Suricata rule parsing errors, e.g., content:"|5C 5C 0A 5C 5C 0A ...

5.      Queue exhaustion runtime errors: Just ran out of space in the queue. Please file a bug report on this

6.      Suricata starts but silently drops traffic, even with no DROP rules applied

What I've Tried So Far

·         Limited ARC cache via loader tunable (vfs.zfs.arc_max=1073741824)

·         Disabled all non-critical rule categories (e.g., shellcode, voip, inappropriate)

·         Disable Firewall Filtering caused

·         Deny by the default rules

·         Forced all rules to Alert via policy with priority 1

·         Reduced dev.netmap.buf_num to 65536

·         Confirmed Suricata binds only to bridge0 in IPS mode

·         Disabled ClamAV, Zenarmor, and background services

·         Installed swap file to ensure system has headroom

·         Used Hyperscan as pattern matcher where supported

Assistance Requested

Is there a known bug or limitation when using Suricata IPS in bridge mode with VLAN trunks on OPNsense?

Are there specific driver/kernel or netmap constraints I should consider?

How can I debug or trace netmap drops in more detail?

Can you confirm whether this is a Suricata limitation, a netmap issue, or policy misbehavior?
Print
Go Up Pages1
User actions