vlan issues - in combination with IPS (IDS works)

[guest31184]

pls ignore

[Rober]

I had the same issue but I have it working now.
I have OPNsense setup with a trunk and vlan sub interfaces. As mentioned elsewhere I needed to create an assignment for the physical interface, then within the interfaces screen for the physical interface I set interface to enabled, I left the Configuration Types as None and enabled Promiscuous mode.
I then went to Service / Intrusion Detection / Administration and enabled the service, turned on IPS Mode and left promiscuous mode as off (as it is now set on the physical).
Since doing this the firewall and IPS has been stable
Hope this helps

[guest31184]

...assignment for the physical interface, then within the interfaces screen for the physical interface I set interface to enabled, I left the Configuration Types as None and enabled Promiscuous mode.
I then went to Service / Intrusion Detection / Administration and enabled the service, turned on IPS Mode and left promiscuous mode as off (as it is now set on the physical).
Since doing this the firewall and IPS has been stable
Hope this helps

I don't quite get this - I also have assignments on LAN and WAN side. On LAN side, I have an assignment called LAN on the physical interface, but I need to set-up things like IP address for LAN etc. on that page (I cannot leave it to "None". Also I do not see the option for promiscuous mode on that assignment page. Similar on WAN, where I have an assignement "WAN" to my pppoe connection, where I also need to have settings to get it working at all. Also there I do not see the promiscuous option there.
Nevertheless I disabled not promiscuos mode on the IPS page (as I did only select LAN and WAN there). Will see if it still blocks. If so, I might try the update to 22.1 then. But if more people having this problem could report their experience, would be highly appreaciated.

[mimugmail]

The problem is that yours is Not specific enough. Do you use VLANs at all?

[guest31184]

Thanks for your comment, I checked my set-up:
On WAN side I have a PPPoE device using igb0, called pppoe0. Then I have another PPPoE device with VLAN for my ISP, which is running on igb0_VLAN40. This is defined as WAN in assignments - so you are right I realized I'm not running WAN on the physical but on the VLAN. I will assign another name to the pure physical and use this in IPS ans see if that still works.
On LAN side I have 4 VLANs defined, while "LAN" is assigned to igb1 only.
[edit]
Right - on WAN I was not using IPS on the VLAN interface. I added now the physical interface in assignments, like mentioned by Rober, and enabled it w/o further configuration and changed IPS to that interface. This works if promiscous is disabled and blocks traffic (even more than before). Otherwise it shows same behaviour as described in opening post.
Thanks for the hints! Will report after migration to 22.1.

[guest31184]

After running 22.1 now for a few days - IPS is not stable, also with now correct set-up on either the physical WAN or LAN.
Also Zenarmor, which I installed now as an alternative on the LAN, runs OK (a bit slow), but also from time to time causes some disruption of network connections. But at least LANs and WAN remain up in general.
But switching on IPS shuts down connections more or less immedeately.

[mimugmail]

After running 22.1 now for a few days - IPS is not stable, also with now correct set-up on either the physical WAN or LAN.
Also Zenarmor, which I installed now as an alternative on the LAN, runs OK (a bit slow), but also from time to time causes some disruption of network connections. But at least LANs and WAN remain up in general.
But switching on IPS shuts down connections more or less immedeately.

Do you use VLANs?

[guest31184]

Do you use VLANs?
[/quote]

Yes, I need a VLAN on the WAN for my ISP and also internally on the LAN.
ISP / IPS and Zenarmour run only on the physical interface (physical WAN assigned with "nothing" as IP; on the physical LAN I have assigned a static IP4 / IP6 as track interface). I just realize this difference in IP addresses - do I need an IP on the physical LAN assigned? Access is not done via this address, actually. Might this be a cause of problems?

[mimugmail]

No, assigning and enable without IP should be fine

[mungo312]

I have a quite similar setup:
I have no VLAN on the WAN side.
On LAN side there is a trunk with several VLANs defined. I also enabled the physical interface with no config and promiscuous mode enabled. In IPS settings only the physical interface is selected. Promiscuous mode is disabled.
After enabling IPS the network connections are interrupted when the suricata log say: all 1 packet processing threads, 4 management threads initialized, engine started.

[guest31184]

Not testing for long, but seems stable now.
What I missed in my set-up was not only to disable all off-loading, but also the "VLAN Hardware filtering" as as default, which seems to be enabled. Setting to disabled lets me run Scruitata in IPS now for a few hours stable, while before I had the problems coming very soon.
I found that in an earlier threat - also for me the help text "disable all hardware offloading" was misleading as I did not know that it also would include the VLAN hardware filtering and that "default" is enabled.
Unfortunately a bug report to change that help text to be more descriptive was turned down at that time...
So having enabled the physical device for WAN with no config, and disabling offloading + VLAN filtering seems to be needed. Hope it helps also others with the same problem. Will report if it remains stable for the next days.

Update: Running stable on WAN. Activating on LAN (same igb network card, same settings on card) I'm still having issues.

[fireburner]

The issue with IPS remains with 22.1.4_1

[fireburner]

still the same with 22.1.8_1

[burntoc]

Finally got around to enabling this myself and I'm seeing the same behavior on 22.7.10_2.  Huge bummer.