suricata and pppoe vlan11 tagged fiber / WAN dont work

[kinch]

hi there

befor everthing was working fine.
i had an fiber wan connection which was DHCP.
Suricata was configured to look at the WAN interface and it was working, i got some alerts during the week.

bc of relocating, the ISP only offers fiber with pppoe in this area.
i reconfigured the wan (create vlan11 interface, create pppoe device with credentials, assigned pppoe interface as WAN)
opnsense got an public IP and internet working as well. this "happens" around 6 month ago.
Till then, i never got an suricata alert. so i was wondering if suricata is working properly. i tested it with eicar and nothing happend, so i dont get any alert since 6month and my testing triggered also no alert.

I then switched Promiscuous mode off after about 4 months, no change. After 2 months more still no alerts.
I suspect that Suricata cannot access the WAN interface. i think it has problems with the constellation interface->vlan->pppoe->WAN

Any idea what the problem could be, how I can troubleshoot and fix it?

what i did:
restart service
reboot
test with eicar, NOK
check ruleset (every drop/alert rules are enabled)
tested it with http://testmynids.org/uid/index.html
change pattern matcher aho <->hyper


Best Regards

[Taunt9930]

I don't believe you can use Suricata on PPPoE - it is not compatible.

[bestboy]

Also NAT and intrusion detection systems are no friends.

[kinch]

I don't believe you can use Suricata on PPPoE - it is not compatible.

why not, suricata does not see pppoe header i think

[kinch]

Also NAT and intrusion detection systems are no friends.

?? what has suricata todo with NAT?

[bestboy]

Intrusion detection systems need to track the flows. If you do address translation then sources or targets of flows are rewritten. The original flow is terminated and replaced. Intrusion detection systems typically only see one leg of the entire communication. Either the original flow leg or the replaced, new flow leg. But in either case they keep on missing half of what's going on.
Feel free to read the documentation for details. It's all there right in the "Choosing an interface" chapter: https://docs.opnsense.org/manual/ips.html#choosing-an-interface".

PS: There is a reason why many admins hate NAT. You have to jump a lot of hoops and deal with heaps of BS just to keep using the old IPv4 address.

[kinch]

Intrusion detection systems need to track the flows. If you do address translation then sources or targets of flows are rewritten. The original flow is terminated and replaced. Intrusion detection systems typically only see one leg of the entire communication. Either the original flow leg or the replaced, new flow leg. But in either case they keep on missing half of what's going on.
Feel free to read the documentation for details. It's all there right in the "Choosing an interface" chapter: https://docs.opnsense.org/manual/ips.html#choosing-an-interface".

PS: There is a reason why many admins hate NAT. You have to jump a lot of hoops and deal with heaps of BS just to keep using the old IPv4 address.

ok of course, but it does not matter in this szenario, bc suricata does not work and it worked back in the days when the interface was DHCP-WAN and not PPPOE-WAN.

Best Regards

[kinch]

anyone successfully using suricata on a PPPOE WAN?

Best Regards

[kinch]

seems like it is not working and not supported by suricata / netmap

https://forum.opnsense.org/index.php?topic=31587.0