Dedicated IPS box: how to get the default deny policy to not block all traffic

Started by Deathmage85, February 15, 2025, 05:13:52 PM

Previous topic - Next topic
Hello,

I've deployed OPNsense 25.1.1 to a Protectli 2 port vault (I'm using a persistently configured USB 3.0 NIC for management), and I placed the LAN and WAN in a bridge. I've enabled promiscious mode and set IPv4 & IPv6 to none.

I've set the firewall to have an 'inbound any any any any rule' and also placed a 'inbound udp any to 255.255.255.255 over port 67' for DHCP leases from Arris modem. I've placed the DHCP rule above the any any any any rule.

Right now, even with enabling allot of the Advanced firewall setting (Static route filtering, Disable reply-to, and Firewall Optimization set to conservative) minus disabling the firewall itself, I still cant get the OPNsense to simply be in 'inline' mode and to simply 'monitor' the traffic that flows thru the bridge as the default deny rule blocks everything.

Does anyone know how to effectively stop the firewall from using the default deny firewall rule and only let the Suricata IPS block based on detection(s) defined in the rulesets while allowing DHCP traffic to issue an IP to an upstream OPNsense firewall and for non-nefarious traffic to otherwise flow from the ISP modem to the 1st tier firewall without restrictions?

One key setting I found in past deployments of OPNsense that I can't seem to find in 25.1.1 is: "Disable stateful filtering for bridge interfaces"; does anyone know where this moved or morphed into?

I did find two tunables called "net.link.bridge.pfil_bridge set to 0 && net.link.bridge.pfill_member set to 0" but it seems the default deny, as mentioned is still blocking, so what gives? O.o

Goal: get Suricata on this 2 port vault in transparent IPS mode, and then on the upstream firewall enable Zenarmor on the WAN port. Effectively offloading the IPS to a dedicated box.
HW: Protectli V1410 - Intel N5105 - 8 GB - 500 GB SSD - Inline IPS - pFsense 
HW: Protectli VP6630 - Intel i3-1215U - 64 GB - 1 TB SD - Outside firewall - OPNsense - Zenarmor Free - IPS
HW: Protectli VP6650 - Intel i5-1235U - 32 GB - 1 TB SSD - Inside firewall - OPNsense - Zenarmor Home - IDS

So I've setup the transparent bridge identical to this youtube video and it doesn't appear to work.

https://www.youtube.com/watch?v=Rb4vlN_Hf-U

Ironically, I saved the OPNsense config and deployed pFsense to the Protectli V1211 vault, and it is working as a transparent bridge-based inline IPS, so I'm left pondering what is broken in OPNsense in version 25.1.1.

The youtube video had it working in 24.7.

Going to let this sit for a little bit and then I'm going to mock this up in my VMware cluster and see if I cant tinker away at why 25.1.1 is broken compared to 24.7 for a transparent bridge based IPS.
HW: Protectli V1410 - Intel N5105 - 8 GB - 500 GB SSD - Inline IPS - pFsense 
HW: Protectli VP6630 - Intel i3-1215U - 64 GB - 1 TB SD - Outside firewall - OPNsense - Zenarmor Free - IPS
HW: Protectli VP6650 - Intel i5-1235U - 32 GB - 1 TB SSD - Inside firewall - OPNsense - Zenarmor Home - IDS

I sent back the Protectli V1210 and got a V1410 and with pfSense, it seems to work allot better than the V1210. I think because I was trying to force (and it worked-ish) the USB nic for management; it caused problems with routing and filtering.
HW: Protectli V1410 - Intel N5105 - 8 GB - 500 GB SSD - Inline IPS - pFsense 
HW: Protectli VP6630 - Intel i3-1215U - 64 GB - 1 TB SD - Outside firewall - OPNsense - Zenarmor Free - IPS
HW: Protectli VP6650 - Intel i5-1235U - 32 GB - 1 TB SSD - Inside firewall - OPNsense - Zenarmor Home - IDS