Enabling IPS on LAN disables VLANS

Started by MTR, May 05, 2020, 12:31:12 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 05, 2020, 12:31:12 PM Last Edit: May 10, 2020, 11:52:16 PM by MTR
Hi,

First off:
I just recently upgraded my home network from a consumer router/WAP (Asus N66U) to a prosumer setup with Opnsense. Which is running on a Qotom mini-pc Q470s (i7-4500U, 8GB RAM, dual Realtek 8111E NICs). Along with the upgrade i added a switch (TP-Link TL-SG108E) and a WAP (TP-Link EAP225). My experience in setting up a VLAN network is fairly low (read non-existant), so my problem might be simple PEBKAC so please go easy on me.  :)

Network layout:
A bridged cable modem connected to Opnsense WAN port. Opnsense LAN port connected to switch port 8. EAP225 connected to switch port 7. RaspPi on port 2. I have setup 3 VLAN's: VLAN10 for wired, VLAN20 for WLAN, VLAN30 for WLAN guest network. EAP225 is setup with 2 VLANs, 20 and 30.
Switch configured with 802.1Q VLANs as followed:
Code Select
VLAN ID VLAN Name    Member Ports  Tagged Ports  Untagged Ports
1 Default      1-8                  1-8
10 WIRED_LAN    2-6,8    8             2-6
20 WLAN         7-8           7-8
30 WLAN_GUEST   7-8    7-8
All ports are by default members of the default VLAN. Can't change that.
Setup seems to work okay, Pi in port 2 gets a 192.168.10.x, WLAN get 192.168.20.x and WLAN guests get 192.168.30.x IP's.

Problem:
As soon as i enable IPS on the Opnsense LAN interface there is no more connection possible from any of the VLANs. No DHCP, nothing. Even when i set a static IP, no connection.
When i plugin my laptop to port 1 on the switch it gets -as expected for that port- a LAN IP in 192.168.1.x range and connectivity is fine. But when i plug in my laptop in another port on the switch (a port with VLAN tagging for VLAN10) it still gets a LAN IP where i'd expect a VLAN10 IP. As soon as i disable IPS on LAN or make Suricata listen on WAN instead of LAN i get a VLAN10 IP.

From what i'm observing i can conclude a couple of things. VLANs are no more available when Suricata is set to do IPS on the LAN interface. Only LAN addresses are valid. I think wireless clients (both VLAN20 and VLAN30) lose connection because the port on the switch which has my WAP is tagged for 2 VLANs. Wired clients don't have this problem, since they are on a single VLAN-tagged port. They just get a LAN IP instead of a VLAN10 IP and keep connectivity.

I don't understand what is happening and why; could somebody help me out please?
May 05, 2020, 07:13:43 PM #1
Hm, maybe i should have searched for this issue a bit more before posting... I found a couple of threads here and on netgate forums discussing this issue with Suricata and VLANs. So at least it's not a PEBKAC, that's nice to know.  ;D
One possible solution i read in multiple forums is to disable VLAN Hardware Filtering. But my system crashes hard when i do that. Issue reported with built-in reporter.

For now i have to do with just IDS then i guess. Bummer.  :-\
May 06, 2020, 07:58:35 AM #2
Why not listen on WAN and add WAN IP to home network?
May 06, 2020, 09:59:00 AM #3 Last Edit: May 06, 2020, 10:21:21 AM by MTR
WAN IP is dynamic. Besides that i won't be able to see which internal IP is involved in the traffic? Or is that circumvented by adding the WAN IP to home networks?

edit: just tried this and indeed no internal IP's are shown so that's not really an option tbh.

@mimugmail: could you explain what the idea behind adding the WAN IP to Home Networks is?

oh and btw, enabling IPS on my WAN will catch and drop packets that are most likely going to be dropped by the firewall anyway. Maybe it's fun to see all internet baddies banging on the door, but it's a waste of system resources i think?
May 06, 2020, 07:19:48 PM #4 Last Edit: May 06, 2020, 07:36:12 PM by l0rdraiden
Quote from: MTR on May 06, 2020, 09:59:00 AM
WAN IP is dynamic. Besides that i won't be able to see which internal IP is involved in the traffic? Or is that circumvented by adding the WAN IP to home networks?

edit: just tried this and indeed no internal IP's are shown so that's not really an option tbh.

@mimugmail: could you explain what the idea behind adding the WAN IP to Home Networks is?

oh and btw, enabling IPS on my WAN will catch and drop packets that are most likely going to be dropped by the firewall anyway. Maybe it's fun to see all internet baddies banging on the door, but it's a waste of system resources i think?

Well pfsense and opnsense IDS/IPS implementations are quite limited in terms of flexibility, but I think is something inherit from FreeBSD.

In any (comercial)  linux based firewall you can assign IDS/IPS policies to a single firewall rule, so if you have a rule that open ports to the internet you will want to see that traffic in the WAN, good news is that the IDS/IPS will only scan the traffic of that firewall rule and not the whole WAN, in addition you will enable only the IDS/IPS rules related with the assets behind that open port. If you don't have open ports with LAN is enough.

The result is that is much more efficient and you get less FP
May 06, 2020, 08:37:10 PM #5
Yeah enabling WAN IPS only on selected rules makes much more sense indeed.

Too bad i can't get IPS on my LAN to work correctly. Guess i just keep using IDS and look at the alert log once in a while to see if anything is happening with the clients in the home nets. It's still a step up from no IDS at all with the consumer router i had.
Print
Go Up Pages1
User actions