Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Transparent IPS issues
« previous
next »
Print
Pages: [
1
]
Author
Topic: Transparent IPS issues (Read 2685 times)
naito
Newbie
Posts: 2
Karma: 0
Transparent IPS issues
«
on:
May 08, 2020, 02:21:40 am »
Trying to set up Suricata as a transparent IPS on OPNsense 20.1.6. Completely new install. Network set up as attached image shows.
I got OpnSense configured as a transparent bridge, passing traffic from igb0 to igb1. Separate interface for management, only management interface as an IP assigned.
Suricata workw great in IDS detection-only mode, can see rules alerting, eicar tests work, but the instant I turn on IPS mode I lose all connectivity on the bridge. Doesn't matter which pattern matcher I use, or whether promiscuous mode is on or off (I have two VLANs so I usually have promiscuous mode on). Interfaces have set to only igb0 or igb1 and makes no difference. The instant the logs show "threads initialized, engine started" I lose all connectivity through the bridge.
What am I doing wrong? I've followed the transparent bridge setup guides, set the tunables, all hardware offload is off, bridge performs great and can even use firewall rules correctly, but once IPS mode is enabled everything stops. I believe this is a supported configuration?
The only thing I've been able to notice after a couple days of testing is that once IPS mode starts, I start seeing firewall logs BLOCKING traffic on the bridge via the "default deny" rule. I've tried adding a allow all rule, and even disabling all packet filtering in Firewall->Settings->Advanced, the deny rule still seems to block.
By my understanding though is that netmap runs under pf, and the messages Suricata prints seems to bear this out as in both IDS and IPS mode it will show a "igb0:pks XXX, drop 0" so I think Suricata is seeing packets properly, but something else is breaking the bridge.
Any help is appreciated!! thanks in advance.
Logged
l0rdraiden
Jr. Member
Posts: 59
Karma: 4
Re: Transparent IPS issues
«
Reply #1 on:
May 10, 2020, 07:35:37 pm »
Basically your problem is this
https://forum.netgate.com/topic/128853/suricata-and-vlans/2
Unless an opnsense dev says otherwise, Vlans and suricata with IPS mode doesn't work, and there is no solution for now.
Logged
naito
Newbie
Posts: 2
Karma: 0
Re: Transparent IPS issues
«
Reply #2 on:
May 12, 2020, 05:50:07 am »
Thanks, that's disappointing to hear. Will keep an eye out for future updates, in the meantime I managed to get it working with a manual install on Debian + Suricata 5 using af_packet for bridging.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Transparent IPS issues