Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Steven-B

#1
26.1, 26,4 Series / Re: Bring down WAN interface
June 10, 2026, 09:19:15 PM
Coming back to my own question :), For those who are interested in this because I know a lot of people are trying to use CARP with a single ISP (DHCP/DHCPv6/...) running into some problems like I do... I am currently scripting this to CARP events so that in case of MASTER/BACKUP the WAN link on the BACKUP stays down until needed.

Bringing the interface down:
pkill -f dhclient
pkill -f dhcp6c
pkill -f rtsold
pkill -f dpinger

ifconfig <iface> -alias <wan-ipv4>

ifconfig <iface> inet6 <wan-ipv6> delete

configctl interface linkup stop <iface>

ifconfig <iface> down

Bringing the interface up again:

configctl interface linkup start <iface>
configctl interface reconfigure <iface>

I might post a full script etc. if wanted...

EDIT: added pkill -f rtsold, noticed interface came back to RUNNING state after a while.

Regards,
Steven
#2
I'm sorry I totally lost track of this!
I can confirm it is working now as it is suppose to, running version 26.1.9 now, not really able to go back to 25.7.10 at the moment or I need to search the archive for an ISO... i think this is not so important anymore as I hope most of us update their infra on a regular base.

Regards,
Steven
#3
26.1, 26,4 Series / Bring down WAN interface
June 10, 2026, 06:31:54 PM
Hi All,

I want to bring down the WAN interface intentionally, preferably scripted for something I would like to test in a CARP setup...
I notice that my script is actually doing what it's suppose to do, but for some reason I cannot bring down the WAN interface on the CARP BACKUP system.

Like for example: ifconfig vtnet0 down, the interface goes back up after several seconds... which is not what I want...
I also have been looking and came by configctl interface linkup stop vtnet0 but it results in the same behaviour...

Is there any way to come around this so I can manually decide what interface should be up or down?

Regards,
Steven
#4
Problem is solved and is browser related (Edge), I changed my browser back to Firefox > problem solved, logs are displayed.
Did not think about it before, already tried resetting Intrusion Detection several times lol :)
#5
Hi,

Is there anyone noticing after upgrading from 25.7.9 to 25.7.10 there are no more logs shown at Intrusion Detection (Suricata) > Alerts, though previously worked fine.

I think it might be a "bug"? because when I check the system it clearly is generating alerts (/var/log/suricata).



Grts,
Steven
#6
Hi all,

After analyzing the logs this evening I realized I made a gigantic typo :)

this:
suppress gen_id 1, sid_id 2030387

should be:
suppress gen_id 1, sig_id 2030387


Problem solved!

Grts,
Steven
#7
Hi all,

I am trying to suppress some SIDs but it seems my threshold.conf is not working.
I tried altering the suricata.yaml configuration file by removing the hashtag at threshold-file: /usr/local/etc/suricata/threshold.conf also tried with custom.yaml and give in the location of the threshold file but I do not seem to succeed...

suppress gen_id 1, sid_id 2030387

I've also tested with other rules with and without adding track by_src | by_dst, ip xxx.xxx.xxx.xxx but  whatever I am doing, it wont suppress the alerts.
Does anyone else has this problem?

I am on OPNsense 25.1.9_2-amd64 which is using Suricata 7.0.10.

Greetings,
Steven