IPS in VLAN only environment

[skywalker007]

I haven't used the IPS so far and currently working on making use of it.
From what I  gatherered so far, blocking does not work on VLANs, correct? So i would need to change my complete network architecture?
So far, on LAN side I have everything VLAN'ed and WAN runs PPPoE over VLAN7 (DT VDSL).

[Oliver]

After some experimentation I was able to successfully run Suricata in IPS mode with local VLANs on OPNsense 19.7.

Hardware tested:

• ZOTAC ZBOX PRO CI329 nano: Intel Celeron N4100, 2 x Realtek PCIe GBE (re), 8 GB RAM
• Thomas Krenn LES v3: Intel Celeron N3160, 2 x Intel i211AT (igb), 4 GB RAM

Topology:

• WAN: pppoe on igb1/re1
• LAN on igb0/re0 (not used directly)
• VLANS with LAN as parent (all internal hosts connect to one of the VLANs)

The primary problem I have experienced was the total loss of network connectivity (on all interfaces) when switching from IDS to IPS mode. Several workarounds posted elsewhere did not solve the problem but rather introduced new ones (cf. this posting).

It turned out that the most important setting change to avoid total loss of network connectivity was:

• In Interfaces > Settings set VLAN Hardware Filtering to Disable VLAN Hardware Filtering

Other configuration details:

Services > Intrusion Detection > Administration - Settings (in advanced mode):

• Enabled: (checked)
• IPS mode: (checked)
• Promiscuous mode: (checked)
• Pattern matcher: Hyperscan
• Interfaces: LAN
• Home networks: 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
• Log package payload: (checked)
• (Other settings left at their defaults.)

I have downloaded and enabled all rules offered by OPNsense with actions set to Drop, except for ET emerging-policy (downloaded and enabled, but action unchanged). Some individual rules were then disabled as deemed necessary.

In the above setting, Suricata did block VLAN traffic and reported "SID 7999999: OPNsense test eicar virus" on the "Alert" tab when running this test on an internal Linux host (on a VLAN):

Code Select Expand

curl http://malware.wicar.org/data/eicar.com > /dev/null

So far everything seems to run pretty stable with a scheduled reboot every 24 hours.

[skywalker007]

Thanks a lot for your extensive feedback. I'll give that a try and let you know if it worked.

[mimugmail]

It turned out that the most important setting change to avoid total loss of network connectivity was:

• In Interfaces > Settings set VLAN Hardware Filtering to Disable VLAN Hardware Filtering

This is the helptext in OPNsense for IPS Mode:

   
Enable protection mode (block traffic).
Before enabling, please disable all hardware offloading first in advanced network.

[Oliver]

It turned out that the most important setting change to avoid total loss of network connectivity was:

• In Interfaces > Settings set VLAN Hardware Filtering to Disable VLAN Hardware Filtering

This is the helptext in OPNsense for IPS Mode:
   
Enable protection mode (block traffic).
Before enabling, please disable all hardware offloading first in advanced network.

Thanks for pointing to this, but I'd like to respectfully disagree:

Interfaces > Settings contains three items which explicitly mention the term offload:

Code Select Expand


Hardware CRC Disable hardware checksum offload
Hardware TSO Disable hardware TCP segmentation offload
Hardware LRO Disable hardware large receive offload


The language used for the item

Code Select Expand


VLAN Hardware Filtering
does not fit into this category. While of course any kind of hardware processing could be labelled as offloading, I had understood the hint you were mentioning as referring to the upper three, more CPU-intensive items only. Another point is that the former three items are disabled by default while the latter is set as "Leave default" without documenting which default this refers to.

The above combination of factors unfortunately lead to a less-than-optimal out-of-box experience and somewhat time-consuming consequences. So I'd suggest the following changes for better usability.

Rename the settings as follows, converting each one to a positive language option with a checkbox, dropping the prior choice of "Leave default" for VLAN Hardware Filtering:

Code Select Expand


Enable Hardware CRC checksum offload             [ ]
Enable Hardware TSO (TCP segmentation offload)   [ ]
Enable Hardware LRO (large receive offload)      [ ]
Enable Hardware VLAN Filtering                   [ ]


Change the help text for IPS mode from

• "Before enabling, please disable all hardware offloading first in advanced network." to
• "Before enabling, please ensure that all Enable Hardware ... options in Interfaces > Settings are turned off. Otherwise you might experience a total loss of network connectivity on the router.

Any opinions on that?

[maweber]

Thanks for pointing to this, but I'd like to respectfully disagree:

---

Any opinions on that?

Disclaimer: I'm a learner. I just don't know what I'm fighting against with all this IPS on VLAN problems.

My gut says your clarification is so perfect to agree, or disagree upon,
if I were you I'd file an improvement request at https://github.com/opnsense/core/issues and link back here for more background. Copy everything around "Rename the settings as follows" and any DEV can judge.

[JasMan]

@Oliver: Thank you for your post. I ran into the same issue :)

[Oliver]

With this pull request merged, explanations are in place which should help to avoid being caught in this trap. Expect this to arrive with OPNsense 20.7.3.

EDIT: Maintainers have chosen to dismiss the above changes. As I cannot see how to contribute constructively without seeing rejects on seemingly arbitrary grounds, I can only hope that someone else will step in and improve usability.

[ReDaLeRt]

After some experimentation I was able to successfully run Suricata in IPS mode with local VLANs on OPNsense 19.7.

Hardware tested:

• ZOTAC ZBOX PRO CI329 nano: Intel Celeron N4100, 2 x Realtek PCIe GBE (re), 8 GB RAM
• Thomas Krenn LES v3: Intel Celeron N3160, 2 x Intel i211AT (igb), 4 GB RAM

Topology:

• WAN: pppoe on igb1/re1
• LAN on igb0/re0 (not used directly)
• VLANS with LAN as parent (all internal hosts connect to one of the VLANs)

The primary problem I have experienced was the total loss of network connectivity (on all interfaces) when switching from IDS to IPS mode. Several workarounds posted elsewhere did not solve the problem but rather introduced new ones (cf. this posting).

It turned out that the most important setting change to avoid total loss of network connectivity was:

• In Interfaces > Settings set VLAN Hardware Filtering to Disable VLAN Hardware Filtering

Other configuration details:

Services > Intrusion Detection > Administration - Settings (in advanced mode):

• Enabled: (checked)
• IPS mode: (checked)
• Promiscuous mode: (checked)
• Pattern matcher: Hyperscan
• Interfaces: LAN
• Home networks: 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
• Log package payload: (checked)
• (Other settings left at their defaults.)

I have downloaded and enabled all rules offered by OPNsense with actions set to Drop, except for ET emerging-policy (downloaded and enabled, but action unchanged). Some individual rules were then disabled as deemed necessary.

In the above setting, Suricata did block VLAN traffic and reported "SID 7999999: OPNsense test eicar virus" on the "Alert" tab when running this test on an internal Linux host (on a VLAN):

Code Select Expand

curl http://malware.wicar.org/data/eicar.com > /dev/null

So far everything seems to run pretty stable with a scheduled reboot every 24 hours.

This post should be fixed.

You saved my day!

Thanks, Oliver!

[Patrick M. Hausen]

But isn't "disabled" the default?

Kind regards,
Patrick

[abulafia]

It turned out that the most important setting change to avoid total loss of network connectivity was:

• In Interfaces > Settings set VLAN Hardware Filtering to Disable VLAN Hardware Filtering

One comment: I highly recommend rebooting after disabling VLAN hardware filtering. I gathered from past experience (not sure) that a reboot would be required to apply that setting.

[nferocious76]

Hi, after successfully running IDS... did you have any drops in performance? like upload and download speeds? thanks!

[abranca]

Hi I link to this discussion to ask for clarification.
I have OPNsense virtualized on proxmox with a network card with 2 dedicated ports (1 WAN and one for LAN).
I have created VLANs on my LAN, in the interface settings I have Hardware CRC, Hardware TSO, Hardware LRO checked (so all disabled) and VLAN Hardware Filtering disabled.

In IPS I have Promiscuous mode enabled but I am not clear on the Interfaces part. Do I have to select LAN because the VLANs are on this physical interface? Why not select the interface assigned to the VLAN?

Thanks for the clarification

[mimugmail]

You only need promisc if vlans are tagged in OPNsense, you dont need it

[GuruLee]

I found this threat extremely helpful! Thank you all.