OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: Vexz on November 17, 2023, 07:39:59 pm
-
I just found this article: IPS Bypass local traffic from inspection (https://docs.opnsense.org/manual/how-tos/ips-bypass.html)
It made me curious to try Suricata again. You see, I depend on a PPPoE connection from my ISP for WAN and I get a dynamic IPv6 prefix. The PPPoE connection means that I can't use my WAN port in Suricata. Now I'd like to let Suricata bypass any traffic from any local machine to any other local machine in my home LAN. The article linked above explains what to do to make it work for IPv4, which is good. The problem here is the IPv6 part. The article states to create a rule with my prefix. But because my prefix is dynamic, the rule won't work any longer after a reboot or reset of the PPPoE connection. So what options do I have here? Aliases don't work.
-
I do not know Suricata, but OpnSense firewall aliases with dynamic IPv6 prefixes DO work: Try type "Dynamic IPv6 host". You only specify the EUI-64 of the device, the prefix is added accoring to the specified interface.
BTW: You cannot use a firewall / router to filter any traffic that is on the same LAN / network / collision domain as it does not pass the router at all. You can do that only for routed local traffic. The link you gave is for cross-network traffic between different subnets of 10.0.0.0/8, all specified by a single rule.
If you want to pass IPv6 traffic between different local IPv6 networks, you could pass any IPv6 traffic between the interfaces of the interface networks which are then dynamically assigned.
-
I do not know Suricata
It's the IDS/IPS that OPNsense comes with (https://docs.opnsense.org/manual/ips.html).
but OpnSense firewall aliases with dynamic IPv6 prefixes DO work
Yes, but only for the firewall part. Suricata has some individual user defined rules as it seems and aliases from Firewall > Aliases don't work there. I've tried that.
BTW: You cannot use a firewall / router to filter any traffic that is on the same LAN / network / collision domain as it does not pass the router at all.
That's what I thought too but when I enable IPS I can't even access my NAS anymore which is just connected via a layer 2 switch with my computer - no firewall or anything else between these two devices. Just the switch. So somehow IPS does seem to have some impact on that.
-
I meant what Suricata is, but I have not used it. Actually, whenever I enabled it, it hurt my inter-VLAN performance.
I see the problem now. Probably there are two remedies:
1. Find out which IPv6 prefixes your ISP assigns to you. You can look them up in their autononous system (AS). All of the /56 prefixes must be from a larger prefix they can use. You can then take that larger prefix for your rules. This assumes that the firewall rules on the WAN interface still take precedence, otherwise your ISP "neighbors" could bypass your firewall.
2. If you absolutely must use IPv6 for internal traffic, assign ULAs, which are the closest equivalent to RFC1918 networks.
-
1. Find out which IPv6 prefixes your ISP assigns to you. You can look them up in their autononous system (AS). All of the /56 prefixes must be from a larger prefix they can use. You can then take that larger prefix for your rules. This assumes that the firewall rules on the WAN interface still take precedence, otherwise your ISP "neighbors" could bypass your firewall.
Thanks, that was a good hint. I found the range of IPv6 addresses my ISP gives its customers. Now that means no traffic from other customers of my ISP is being monitored by IDS. Still better than no IDS/IPS at all. God, I hate dynamic IPv6 prefixes so much.
2. If you absolutely must use IPv6 for internal traffic, assign ULAs, which are the closest equivalent to RFC1918 networks.
I only have one LAN and don't even make use of VLANs. It's a very simple setup. Hence I never saw the need to use ULAs and just use the link-local IPv6 addresses (fe80::/10). But I can't force my devices to only use the link-local addresses to communicate. I also added a new user defined rule specifically for this.
For now the only problem I have is that I can't access my OPNsense's web UI properly anymore. It loads extremely slowly and most of the time not even the whole website. I can't figure out why that is.
-
I only have one LAN and don't even make use of VLANs. It's a very simple setup. Hence I never saw the need to use ULAs and just use the link-local IPv6 addresses (fe80::/10). But I can't force my devices to only use the link-local addresses to communicate. I also added a new user defined rule specifically for this.
Then you do not need a bypass rule at all, do you? Essentially, the user-defined rule is there to keep Suricata from inspecting the local traffic, avoiding to slow it down. But "local traffic" over the firewall can only occur between different interfaces. If you have only one, there is no need for optimization.
I learned that now as well. As I told, I disabled Suricata because it slowed local traffic down so much. Now I have established the exceptions for RFC1918 and it is fine so far.
For now the only problem I have is that I can't access my OPNsense's web UI properly anymore. It loads extremely slowly and most of the time not even the whole website. I can't figure out why that is.
Is that also Suricata-induced? If so, I suggest adding the RFC1918 rules as well, as you probably access the web UI via IPv4.
-
Then you do not need a bypass rule at all, do you? Essentially, the user-defined rule is there to keep Suricata from inspecting the local traffic, avoiding to slow it down. But "local traffic" over the firewall can only occur between different interfaces. If you have only one, there is no need for optimization.
That's what I thought too but as mentioned in one of my previous posts (https://forum.opnsense.org/index.php?topic=37071.msg181421#msg181421) I couldn't even access my NAS anymore. It's gotten better with these rules. Only the problem with accessing the OPNsense's web UI remains.
Is that also Suricata-induced? If so, I suggest adding the RFC1918 rules as well, as you probably access the web UI via IPv4.
Yes, it is Suricata included. And of course I also added the IPv4 addresses according to RFC1918.
Something about this is weird but I think I'm gonna stay without IDS/IPS. Didn't have any problems before without it. Maybe I'll think about adding Crowdsec again but the bouncer didn't have much to do last time so maybe not.