Author Topic: NIC's with Suricata Inline mode (Read 374 times)

whizzy · « **on:** December 11, 2017, 09:49:43 am »

Can we please post in this thread the NIC make and model of users who successfully have Suricata Inline working without any errors.
Also post any tunables, if used, associated with that NIC as well.

Thanks, this thread will be a great help to all of us.

ntct · « **Reply #1 on:** December 11, 2017, 07:08:56 pm »

None, Do not use inline mode.

whizzy · « **Reply #2 on:** December 12, 2017, 08:34:21 am »

I guess ntct is correct. The overwhelming response shows it. I guess no one has it working without errors. I am turning Inline off.
PFsense is not a completely effective firewall solution without inline working. Attacks have full access until the snort table gets around to denying the offending IP.

bmeeks · « **Reply #3 on:** December 12, 2017, 03:33:38 pm »

Quote from: whizzy on December 12, 2017, 08:34:21 am

I guess ntct is correct. The overwhelming response shows it. I guess no one has it working without errors. I am turning Inline off.
PFsense is not a completely effective firewall solution without inline working. Attacks have full access until the snort table gets around to denying the offending IP.

While technically that's true, it practice Snort or even Suricata's legacy mode blocking is sufficient for most threats. If you have the "kill states" option enabled (and it's enabled by default), then as soon as Suricata or Snort makes a decision on the packet the traffic is blocked.

Inline mode uses the new Netmap technology as has been mentioned many times. That technology is still having growing pains because it is so closely intertwined with the NIC driver.

Bill

whizzy · « **Reply #4 on:** December 14, 2017, 10:27:55 am »

Which comes around to my initial post question. What NIC's have users had success with? No one is posting because no one really uses inline is my only conclusion because it is too 'buggy'.

I will post here that netmap has issues with Intel i340, i350, i211, i217 ,i219, Pro1000 NIC's which just about covers all Intel NIC's. Never tested realtek.

Now, a point I must make here is that these NIC's were tested on a high traffic interface. When I use on a low traffic interface, I do not see any netmap issues.

bmeeks · « **Reply #5 on:** December 14, 2017, 10:49:47 am »

Quote from: whizzy on December 14, 2017, 10:27:55 am

Now, a point I must make here is that these NIC's were tested on a high traffic interface. When I use on a low traffic interface, I do not see any netmap issues.

This would be a good point to highlight in a Redmine bug report posting for pfSense. The sensitivity to traffic loading might be a valuable clue for a FreeBSD or pfSense kernel developer. Please consider posting a bug report on the pfSense Redmine site here: https://redmine.pfsense.org/projects/pfsense.

I don't currently use Suricata and thus not Inline IPS Mode. My home connection is also probably much too slow and has much too little traffic to make the issues with Netmap surface.

Bill

whizzy · « **Reply #6 on:** December 14, 2017, 04:20:21 pm »

I posted to redmine. I will see what kind of answers I get.

Author Topic: NIC's with Suricata Inline mode (Read 374 times)

whizzy

NIC's with Suricata Inline mode

ntct

Re: NIC's with Suricata Inline mode

whizzy

Re: NIC's with Suricata Inline mode

bmeeks

Re: NIC's with Suricata Inline mode

whizzy

Re: NIC's with Suricata Inline mode

bmeeks

Re: NIC's with Suricata Inline mode

whizzy

Re: NIC's with Suricata Inline mode