OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: Pocket_Sevens on August 23, 2019, 09:18:31 pm
-
I've noticed a funny issue trying to set up Suricata on my LAN side, especially with regards to my IOT devices connecting to the internet (wall switches, plugs, thermostats, etc.). Just to give some background, here's my setup:
WAN: from Google Fiber (tagged with VLAN 2 as required by GF)
LAN: does not have a VLAN tag on it. Use this for my PC connection.
LAN.VLAN10: A separate VLAN where all of my IOT devices are connected (so that they cannot talk to the devices on the other LAN connection).
(BTW, running LEDE on an AC1750 Archer C7 as an Access Point)
OPNSense/Suricata setup:
Disable Hardware Checksum Offload: Checked
Disable Hardware TCP Segmentation Offload: Checked
Disable Hardware Large Receive Offload: Checked
VLAN Hardware Filtering: I've had this on both "Leave Default" and on "Disable" for testing.
Intrusion Detection Enabled: Checked
IPS Mode: Checked
Promiscuous Mode: Unchecked
Interfaces: WAN
I have no problems just on the WAN side. However, when I try to add LAN by itself, I no longer have access to my IOT devices from outside my home and my IOT devices lose internet connectivity. If I add LAN/LAN.VLAN10, the IOT devices connect but again I cannot control them from outside. Once I remove LAN/LAN.VLAN10 and only have WAN selected, everything works fine.
Has anyone gotten Suricata working with IOT devices? I'd love to get your input.
Thanks in advance.
-
I also loose Internet connectivity when I add my LAN to Suricata and enable IPS mode. I'm using VLAN's as well and a single eth. It works fine with just WAN selected. Suricata in IDS mode works fine with all VLAN's selected though.
-
For IPS and VLANs, you should enable Promiscuous Mode. I run IPS on my LAN with multiple VLANs, without any issues.
Try enabling that and see if it makes any difference.
-
For IPS and VLANs, you should enable Promiscuous Mode. I run IPS on my LAN with multiple VLANs, without any issues.
Try enabling that and see if it makes any difference.
I have exact the same problem. Remote users om vlans cannot connect after I enable the ids on the lan.
I cannot run it on LAN neither with promiscuous mode or not . It crashes my connection
I cannnot see why have to run it in the wan as the way already dropping anything not allowed.
-
Hi all,
I seem to encounter the same issues. I've 3 setups running IDS/IPS.
First setup is a VM guest with 3 interfaces (vmx0,1,2)
IDS/IPS is configured no VLANs or laggs, so promiscuous mode is not selected.
This is working like a rocket, the only issue is that real-time traffic graphs (REPORTING/TRAFFIC) are not working once you enable IDS/IPs. I think there is already a case open for that as well.
The second setup is a DEC2670 (cluster). With vlanned interfaces.
IDS is configured VLANs so promiscuous mode is selected.
As soon as I enable IPS, no more traffic possible from inside. The only way to recover is to restore a backup.
The third setup is a DEC4610 (single). With lagg interfaces
IDS is configured vlans+laggs so promiscuous mode is selected.
As soon as I enable IPS, no more traffic possible from inside. The only way to recover is to restore a backup.
I think there is an issue with VLANs and lagg. The documentation is also not clear. Do I only need to select the physical interface, lagg interface of vlanned interface, or all of them to work?
I am pretty confident that it works perfectly with normal interfaces, but as soon as LAGG's or VLAN's appear it is kinda unpredictable...
Niels