I’m not sure if I completely get the setup, could you draw a simple sketch with an example flow with more details?
So a ICMP echo request coming from LAN1 will go to TAP1 and into Suricata and afterwards being forwarded through TAP2 to the target at LAN2?
But the echo reply will also end up at TAP1?
I don’t want to say this won’t work but hard to tell upfront, would require testing.
Since it’s coming from a TAP to another TAP is this a copy of the actual traffic?