20.7.4 Success!! PPPoE?

Started by bunchofreeds, October 24, 2020, 04:47:09 AM

Previous topic - Next topic
Hi all,

I have successfully upgraded to 20.7.4 after running the pkill syslog-ng via shell.
All looks great so far and thanks for the great effort to all those involved with getting us here.

I was wondering what that state of play is with PPPoE in the WAN interface.
Is there a recommended approach here like Suricata on the PPPoE Interface and Sensei on LAN?
Or are we still not there yet with netmap support on a PPPoE interface.

I'm running OPNsense as a guest on Proxmox so using vtnet.

Thanks for any advice on this
Dan

As I understand it our configuration should run fine now (also have Proxmox with vtnet driver). As far as the PPPoE for WAN interface, I'm not sure if that is fully working right now. According to https://docs.google.com/spreadsheets/d/1RVj8K3XOzWi-Bkjq6hUxWudu7Cxd8FFTqjLiBMzZWEM/htmlview#gid=0 it still seems to be not completely finished.

October 24, 2020, 10:34:23 PM #2 Last Edit: October 24, 2020, 10:36:18 PM by bunchofreeds
Thanks for the reply @heresjody, but I was hoping for a more official update on the state of PPPoE and netmap support. Just wondering if it is still actively in development or if it has been re-prioritised to a later date?

My setup is really quite stable now with Sensei on the LAN on vtnet thanks to all the great work that has been done.
I'd also like to get Suricata IPS running on the WAN which for me is PPPoE again on vtnet.

Quote from: bunchofreeds on October 24, 2020, 04:47:09 AM
....
I was wondering what that state of play is with PPPoE in the WAN interface.
...

Yes, I would love to know as well :D

Quote from: bunchofreeds on October 24, 2020, 10:34:23 PM
My setup is really quite stable now with Sensei on the LAN on vtnet thanks to all the great work that has been done.
I'd also like to get Suricata IPS running on the WAN which for me is PPPoE again on vtnet.

Same here, running OPNSense 20.7.2 on ESX 7 using the E1000e NICs. Sensei is great on LAN networks, but really would like Suricata in IPS mode on PPPoE WAN. :)

Just bumping this one up again.

Any update from the Sensei or OPNsense teams on the progress of netmap support for PPPoE when using Suricata or Sensei.
Last I heard was that it would hopefully be progressed after that main netmap updates were comitted, which I think went into 20.7.4

Thanks for any official update on this!
Would just be good to know if its still possible or if it had to be postponed.

LAGG and TUN are now supported thanks to Sensei efforts. PPPoE is not yet.


Cheers,
Franco

If PPPoE is not supported for suricata on WAN... how do I enable both suricata and sensei? Sensei says it cant run on same interface as suricata, and it must run on LAN, so I put it there... but where do i put suricata then? Anyone know what to do in this situation?

@franco
Thanks for the reply, do you know if netmap support for PPPoE is currently being progressed or if it has been postponed?
I agree that thanks to the Sensei backed effort, a substantial improvement has been made to overall netmap support for FreeBSD. A few of us would love to see PPPoE supported but personally I would understand if this cannot be achieved anytime soon.

@allebone
For me personally I cannot currently run both Suricata and Sensei at the same time but do know that Sensei have on their roadmap to support both on the same interface sometime in the near future.
Ideally it would be great to have full netmap support in FreeBSD for PPPoE so I could run either Suricata OR Sensei on that interface type.

Thanks to Sensei people the authors of Netmap are looking into a solution, but it's not something that has any urgency within FreeBSD scope / other Netmap consumers and as far as I understand the PPP device handling creates more challenges than the rest of the network stack. The timeframe is therefore rather unclear.

It sounds silly but the current best way to run Sensei and Suricata is to use two machines or find a way to terminate the PPPoE on another router. Especially companies have had IDS systems away from their main firewalls all the time.

I know there are users for Suricata and Sensei, but saying you need both at the same time on the same machine makes the use case relevancy shrink considerably in terms of users actually requiring this type of scenario and not having implemented this otherwise already.


Cheers,
Franco

How is the number of users measured that need it? I need it but have never let anyone know that I need it, and dont even know how. In addition, if its not possible, and people revert to workarounds, does that count as a "dont need it" because they were forced to use a workaround? Not moaning, just trying to understand as I signed up to a monthly sensei home package but guess I will have to cancel it and just wait until either I can run it on the same interface (LAN) or until it can be used on PPPoE. Im also not clear if this is years away or just a few months, one of these options.

I guess I'm after a next-gen firewall and for almost free :)

Like allebone I pay for a Monthly Sensei sub and donate to OPNsense as I think the total package is amazing and easily worth these costs.
This solution covers my home setup which is relatively complicated as I work in IT and it changes on almost a daily basis... so the easy configuration and ability to adapt to my needs is excellent.
Ideally I would have modern Cyber Sec from my firewall including IPS (not IDS) and application-level inspection. Most users can now get this when using OPNsense with Sensei and Suricata, Hopefully netmap support will come for PPPoE for us other users :)

Any info on progress of this and how we can help if needed is what we are after.

@Franco I think you have answered this now as its basically unknown, not a priority currently and in the hands of the FreeBSD netmap Gods.

Quote from: bunchofreeds on November 05, 2020, 11:03:41 PM
I guess I'm after a next-gen firewall and for almost free :)

Like allebone I pay for a Monthly Sensei sub and donate to OPNsense as I think the total package is amazing and easily worth these costs.
This solution covers my home setup which is relatively complicated as I work in IT and it changes on almost a daily basis... so the easy configuration and ability to adapt to my needs is excellent.
Ideally I would have modern Cyber Sec from my firewall including IPS (not IDS) and application-level inspection. Most users can now get this when using OPNsense with Sensei and Suricata, Hopefully netmap support will come for PPPoE for us other users :)

Any info on progress of this and how we can help if needed is what we are after.

@Franco I think you have answered this now as its basically unknown, not a priority currently and in the hands of the FreeBSD netmap Gods.

https://forum.opnsense.org/index.php?topic=17363.msg92433#msg92433

I think it'd be best to have both Suricata and Sensei running on the internal interfaces. IPS on WAN isn't ideal as long as you're using NAT. If you're NATing and you don't have a static IP from your provider that can be added to the home networks, IPS seems to be rather useless as most rules won't trigger (as from my observations). As for now I'm using Surciata on WAN and Sensei on all other interfaces, because I was able to switch to a non-PPPoE offer from my existing provider. However, to only see your public IP in the Suricata logs is also not very satisfying. You don't know which of your devices behind NAT triggered the alert. Furthermore, as incoming WAN traffic is handled before applying any firewall rules, there are are lot of alerts which wouldn't be triggered if IPS was used on inside interfaces, I guess.

To sum up: Most of the time IPS on WAN seems to be bad anyways. Hopefully SVN will come up with a same-interface solution soon. It'd be superb :)