IPS PPPoE Interface

[juliocbc]

Hi,

I've configured the IPS in two of my firewall interfaces, one a physical interface with static IP address and other with PPPoE. The physical interface I can see alerts as usual, but the PPPoE dont show any alerts.

p.s.: I've HIPS installed in the servers behind (NAT) of the PPPoE and a lot of alerts are showing up.

Anyone with the same problem?

Thanks!

[franco]

PPPoE with IPS is a known FreeBSD limitation. In IDS mode it seems to work.


Cheers,
Franco

[juliocbc]

Hi Franco!

Thanks!!

Do you know if is anyone working to fix it?

[Trevelian]

Hello,

Its a limitation of FreeBSD that can be fixed, or its just not possible ?

I use opnsense for Internet access but also for internal network segmentation, and the performance penalty with suricata IPS on LAN interface is too high. So having it on PPPoe seems more appropriate.

Thanks,
Trevelian.

[bunchofreeds]

Does anyone have any update or further information regarding using IPS on a PPPOE interface.

It would be good to have this working, I can only utilise IPS on the LAN interface currently.

[lox]

I am facing the issue too

[mimugmail]

PPPoE with IPS is a known FreeBSD limitation. In IDS mode it seems to work.


Cheers,
Franco

....

[bunchofreeds]

So OPNsense have to wait for FreeBSD to resolve this, and I'm assuming that may never happen as I wouldn't imagine FreeBSD could care less about IPS with PPPoE...

Bummer

I would like to add that OPNsense IPS works perfectly for me on the LAN interface and honestly this is workable for me.
Still loving the product overall and really appreciate the hard work that is invested to progress it.
It's still easily the best solution for me.

Found this for reference https://forum.opnsense.org/index.php?topic=3630

[mimugmail]

Dont you think IPS will also block tge packets when listening on LAN? Also there will be way less noise in alerts.

[bunchofreeds]

I agree mimugmail, as I stated earlier, IPS on the LAN interface works for me and currently meets my needs.
It does mean that this traffic has already reached my LAN interface however, so depending on the vulnerability,  this could be deemed a security concern for others.

With IPS on a PPPoE interface being unavailable, does this need to be captured as an issue to be resolved?
Apologies if this is already happening or if in fact it does not need to be resolved at all! I understand that this is an issue with FreeBSD, but where does that leave this issue for OPNsense users?

Does there need to be a statement that IPS does not, and will not work for a PPPoE interface.

I assume others could have a valid reason for this to be functional?

Lots of assumptions on my behalf Happy to be told I am wrong

[AdSchellevis]

In a lot of cases you actually want to use the internal network, since most rules depend on some notion about what's local (HOME_NET) and the outside world (!HOME_NET), which gets lost when capturing data post-NAT.

A lot of IDS systems capture data from the switch by the way, which often has similar visibility.

From a security perspective it likely won't make a huge difference if the traffic wasn't intended for the firewall (trying to access a local service, not blocked from the firewall itself). When using IPS on a WAN interface and adding your wan ip to the local (home) networks, chances of false positives increase a lot too, since it would consider all traffic, not only what would pass the firewall.

Since PPPoE isn't a "physical" interface, I don't think it's likely that it will gain netmap support, the framework isn't really intended for it. (vlans need the parent interface too for example)

(We have some comments in the docs about the requirement of netmap support by the way https://docs.opnsense.org/manual/ips.html , but there's always room for improvement)

Best regards,

Ad

[Quetschwalze]

Same issue for me sadly
Unfortunately running Suricata on LAN interface is not an option for me, since Sensei is already active on that interface.
I understand that this needs to be fixed by FreeBSD, but has it been brought to their attention lately? I've only found an old bug on redmine which has been abandoned 2 years ago due to inactivity.