OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: sunmast on March 03, 2022, 09:54:08 pm

Title: IPS mode destroying IPv6
Post by: sunmast on March 03, 2022, 09:54:08 pm

Does anyone have problems with IPS + IPv6?

When everything else is running fine including IDS, as soon as IPS mode is enabled, the ISP assigned IPv6 is gone from the WAN interface, and then the WAN interface keeps up and down forever. I need to disable IPS and issue a reboot to recover.

Attached the screenshot on the console. igb1 is the WAN interface. It seems some IPv6 forwarding isn't working properly when IPS is enabled.

I've only enabled OPNsense-* rule-sets in the Intrusion Detection service.

Title: Re: IPS mode destroying IPv6
Post by: sunmast on March 14, 2022, 09:49:53 pm

This is 100% repro... Anyone using IPv6 here?

Title: Re: IPS mode destroying IPv6
Post by: franco on March 15, 2022, 07:57:37 am

Unfortunately FreeBSD 13 seems to react differently to IPS use in intrusion detection. We have adjusted the code a little on IPv6 to not listen to detach events caused by enabling IPS mode (even the one late at boot):

https://github.com/opnsense/core/commit/c6a8090de

This patch will be part of 22.1.3 and you can help test it now on 22.1.2 via:

# opnsense-patch c6a8090de


Cheers,
Franco

Title: Re: IPS mode destroying IPv6
Post by: agh1701 on March 17, 2022, 12:15:45 am

do you have realtek nic's? never mind I see now what you don't.

Title: Re: IPS mode destroying IPv6
Post by: sunmast on March 18, 2022, 09:12:44 pm

Hi Franco, thanks for the quick fix, but the issue is still there :(

Yesterday I upgraded it to 22.1.3 and enabled IPS mode again. The improvement is the IPv6 keeps running for a while (maybe 15 minutes) and then the WAN interface keeps up and down again.

I'm not sure if this is only happening to me. I'm passing through an I340 adapter into a Hyper-V VM via DDA. There isn't anything else special in my setup.

Do you want me to collect some logs for debugging? Thanks!

Quote from: franco on March 15, 2022, 07:57:37 am

Unfortunately FreeBSD 13 seems to react differently to IPS use in intrusion detection. We have adjusted the code a little on IPv6 to not listen to detach events caused by enabling IPS mode (even the one late at boot):

https://github.com/opnsense/core/commit/c6a8090de

This patch will be part of 22.1.3 and you can help test it now on 22.1.2 via:

# opnsense-patch c6a8090de


Cheers,
Franco

Title: Re: IPS mode destroying IPv6
Post by: sunmast on March 23, 2022, 07:21:37 am

After extensive research I realized I'm hitting the same issue here: https://forum.opnsense.org/index.php?topic=27299.0

Disabled MAC spoofing and now it's mostly working.

However, I still can't enable it on the LAN interface where an IPv6 address is assigned (causing same interface up/down issue). Still investigating...

Title: Re: IPS mode destroying IPv6
Post by: joeyboon on August 10, 2022, 08:16:26 am

Hi Sunmast,

I'm wondering if you ever found a solution. I'm still experiencing the same problem. I used to use IPS on my LAN interface (with vlan's) but this broke when upgraded. I switched off IPS, since I did not have the time to troubleshoot at the time. As soon as I turn it on the interface switches off. I also hardware offloading disabled and selected the physical interface. Hopefully you managed to solve this! :) 

Title: Re: IPS mode destroying IPv6
Post by: joeyboon on August 19, 2022, 12:15:45 pm

Anyone else that still has issues? Hopefully someone has been able to fix it.