Messages

1

17.7 Legacy Series / Re: Transparent Bridge : IDS to IPS blocks all traffic

« on: January 24, 2018, 06:24:48 pm »

I have these placed between my edge firewall and internal switch at a few branch offices.
   Transparent bridge between two interfaces, Suricata running against the internal  facing NET2 interface .
 
I don't have anything useful in the logs to tell me whats happening to suricata when it gets restarted in netmap mode.  Hence my question . "how can I debug netmap or suricata on the device to troubleshoot what's failing when i transition to IPS mode"

I have more than one of these to test with in the lab.

2

17.7 Legacy Series / Transparent Bridge : IDS to IPS blocks all traffic

« on: January 24, 2018, 02:13:43 am »

My scenario is :quad core j1900 appliance with 4 x intel ( PRO/1000 Network Connection, Version - 2.5.3-k )
   4gb ram, ssd, OS 17.7.11
 LAN0 - (igb0) Management interface , static ip, openvnp to my NMS
 WAN1 and NET2 (igb1 and igb2) are a bridge (BRIDGE0) .

My intention is to run a transparent IPS on the bridge interface. 
 In IDS mode, suricata runs flawlessly doing everything I expect.
  When I transition to IPS mode, the system stops passing traffic on the bridge interface.
  When suricata transitions to netmap mode it fails, and opnsense locks up.

I have set all offloading to off.

I have followed this guide:
   https://docs.opnsense.org/manual/how-tos/ips.html
and then double checked a few settings against this one for general omissions
   https://docs.opnsense.org/manual/how-tos/transparent_bridge.html
I also reviewed the notes the the bottom of this thread :
   https://forum.opnsense.org/index.php?topic=3934.0

Looking through the logs I see nothing that helps diagnose the problem.

My question is how can I debug netmap or suricata on the device to troubleshoot what's failing when i transition to IPS mode? 

Thanks for your help, 

Mpdsville
    Competent Unix and Linux System Admin.