Netgate SG-1000 microFirewall

Author Topic: Suricata with inline mode and problematic constelations  (Read 126 times)

0 Members and 1 Guest are viewing this topic.

Offline DaReaLDeviL

  • Jr. Member
  • **
  • Posts: 55
  • Karma: +0/-2
    • View Profile
Suricata with inline mode and problematic constelations
« on: February 25, 2018, 04:37:24 am »
Hi Folks,

I'm actual running PFSense Version 2.4.2-RELEASE-p1 (amd64) with suricata    4.0.3_1 on ESXI 6.5 and Intel I350-T4 4xGBE NIC.

And now I want to use Inline Mode couse I think it's a lot better couse no packet is crossing pfsense without being checked. So now I have 3 Networks behind with traffic shaping and openvpn. Is there any known drawback or issue with that kind of configuration or any other things that I need to know before running in all kind of issues?

All plugins that I'm running:
Open-VM-Tools 10.1.0,1    
openvpn-client-export 1.4.14   
pfBlockerNG 2.1.2_2    
suricata 4.0.3_1

« Last Edit: February 25, 2018, 05:29:51 am by DaReaLDeviL »
VM PFSense 2.3.3 (amd64) on Dell PowerEdge T410
Xeon E5620 @ 2.40GHz 2 CPUs: 1GB Ram: 12GB Disk
ISP (MNet) <-> 1xModem (Vigor 130) <-> 1xWan, 3xLan (PFSense)

Offline danjor404

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Suricata with inline mode and problematic constelations
« Reply #1 on: February 25, 2018, 08:52:11 am »
Hi DaReaLDeviL,

Bill Meeks has a good explanation of what Inline Mode is and its benefits over Legacy Mode here:

The biggest issue with inline mode is hardware compatibility and stability.  When running as a physical machine FreeBSD's netmap only supports a limited number of NIC chipsets.  Supported list of adapters:

But as for running it in a virtualized environment I'm not sure if pfSense's netmap supports vmware adapters.  Maybe someone has already tested and can chime in on this.  If it is supported I would think it would require you to configure SR-IOV (which your NIC does support) on your VMware Host.  If you're not in a production environment I'd say snapshot and see if it works.  Hope that helps.