Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Parent interfaces: Assignment: Yes or No? Enabled/Disabled? IDS/IPS
« previous
next »
Print
Pages: [
1
]
Author
Topic: Parent interfaces: Assignment: Yes or No? Enabled/Disabled? IDS/IPS (Read 150 times)
fastboot
Newbie
Posts: 38
Karma: 2
Parent interfaces: Assignment: Yes or No? Enabled/Disabled? IDS/IPS
«
on:
November 10, 2024, 09:39:50 pm »
Hi Folks,
so I come literally back to my own line of thoughts what kind of difference it makes if a parent interface is assigned or not. Anf if assigned should it be enabled or disabled.
My conclusion so far: I do not know.
1. I would like to understand technically what would be the difference if I assign a parent interface and have it enabled or disabled. Like what happens to the system. Is there anything ongoing on that interface? I know the VLANs are encapsulated, but how about the parent? What is the best practice?
2. How about IPS? Should the parent be assigned and enabled or disabled? If so, why? What is the best practice with this as well?
3. When using IPS and set promiscious mode in the Suricata config, is it still needed to do enable it on the parent or in the vlan config? Should the parent be used for IPS or the VLAN? Like mentioned, for some it works with the parent (likewise the doc mentioned) and for some it works via choosing the VLANs without the parent. I am a little lost with this.
Cheers
«
Last Edit: November 10, 2024, 09:42:45 pm by fastboot
»
Logged
fastboot
Newbie
Posts: 38
Karma: 2
Re: Parent interfaces: Assignment: Yes or No? Enabled/Disabled? IDS/IPS
«
Reply #1 on:
November 19, 2024, 03:50:32 pm »
*bump*
anyone? I would like to understand what kind of (security) implications this could have
Logged
Patrick M. Hausen
Hero Member
Posts: 6795
Karma: 571
Re: Parent interfaces: Assignment: Yes or No? Enabled/Disabled? IDS/IPS
«
Reply #2 on:
November 19, 2024, 03:53:31 pm »
The necessity to assign the parent interface of a VLAN was removed in OPNsense 22.7.4. So don't. Just create and assign the VLANs.
No idea about IPS, because I don't use it.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Parent interfaces: Assignment: Yes or No? Enabled/Disabled? IDS/IPS
«
Reply #3 on:
November 19, 2024, 04:05:27 pm »
1. There used to be a few major releases that required this for physical settings since formerly the code allowed to set physical settings on each VLAN which got transfered to the parent indirectly, which created the problem that we would not know which conflicting physical settings ended up in the server. This was also true for MAC spoofing and people were asking to let the parent be its own MAC but spoof individual VLANs...
So this turned into an adventure to untangle the previous behaviour which also then required to add features such as promiscuous mode to the parent interface (explicitly) in order to even receive packages by VLANs with spoofed MAC addresses. That is one of the most useful cases of assigning parents. Or when you want to change the physical settings such as link speed / auto-negation.
Later, as Patrick mentioned, when the rework was done an easier way was found to ensure standard settings to parent interfaces indirectly so today it's optional unless the workflow requires it.
2. VLANs can be scanned on the parent, at one point they had to, but not anymore. This also differs between non-IPS mode on and off for technical reasons. If you have a lot of VLANs it might make sense to just add the parent which can ease maintenance if you have VLANs come and go, but that's not the average case. In the average one it doesn't matter.
3. See 2.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Parent interfaces: Assignment: Yes or No? Enabled/Disabled? IDS/IPS
