Suricata IPS + Promiscuous Mode breaks Insight / flowd_aggregate

[greY]

Hello,

I am running OPNsense 25.10.1_2 (Business) as a virtual machine (KVM/Proxmox) and am experiencing a reproducible issue with Suricata IPS in combination with Insight (flowd_aggregate).

Setup (simplified)

• OPNsense running as a VM in ProxMox (9.1)
• Multiple WAN interfaces (Multi-WAN setup)
• Suricata enabled (for WAN interfaces only)
• Insight / Traffic graphs enabled

Observed behavior

• With Suricata disabled → Insight and traffic graphs work normally.
• With IPS enabled + Promiscuous mode OFF → Insight works.
• With IPS enabled + Promiscuous mode ON →

          Traffic graphs stop updating after ~1 minute
          Insight data disappears
          flowd_aggregate fails to start

I see that flowd_aggregate service does not start with:
"WARNING: failed to start flowd_aggregate
Unable to lock on the pidfile"



Is this a known limitation of Suricata IPS + Promiscuous mode on Multi-WAN, especially in virtualized environments?

Is there an official recommendation or roadmap regarding Insight compatibility with netmap/IPS in such setups?


Thanks in advance for any clarification or confirmation


*update*
Looks like it has something to do with the queues setting on the configured VM interfaces in ProxMox. Still investigating...