No IPv6 if IPS is active

Started by Space, March 20, 2018, 11:24:41 PM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
March 20, 2018, 11:24:41 PM
Hi,

once I activate the IPS button in the Intrusion Detection there is no IPv6 announced on the internal networks anymore. WAN is set to DHCPv6 and does get it's IPv6 address but the internal interfaces (LAN/OPT1) do not get any IPv6 address / prefix anymore. DHCPv6 Server does not start anymore.

I will check tomorrow if I find anything in the logs. Or is this issue already known?

Thanks and best regards,

    Space
March 21, 2018, 08:44:29 AM #1
I see the following in IDS alerts:

Code Select
Timestamp 2018-03-21T08:40:56.980402+0100
Alert SURICATA UDPv6 invalid checksum

But it's configured to alert only ... In dhcp.log I see the following:

Code Select
Mar 21 08:30:50 OPNvirt dhcp6c[46361]: Sending Solicit
Mar 21 08:32:38 OPNvirt dhcp6c[46361]: Sending Solicit


Is there some rule that needs to be deactivated?
March 21, 2018, 08:57:09 AM #2
For testing I have disabled all Rulesets for Suricata --> still no success. But in IDS alerts I only see alerts, no drops ...
April 10, 2018, 04:31:45 PM #3
Hi,

can anyone give me a hint how to analyse the problem? With 17.7.x it was working fine but with 18.1.6 it still does not work. As soon as I enable IPS mode there is no IPv6 prefix configured on any of the internal interfaces. Only the WAN interface does have an IPv6 IP.

And as soon as I disable IPS the internal interfaces aquire an IPv6 IP as well.

Best regards,

    Space
April 10, 2018, 04:43:48 PM #4
check the logs - maybe a rule blocks it (false positive?).
April 10, 2018, 04:57:44 PM #5
I can confirm this problem!
Did not tried to debug the problem but i´m willing to help of course.
Had this behavior also in previous OPNsense versions.
April 10, 2018, 05:19:51 PM #6
Quote from: fabian on April 10, 2018, 04:43:48 PM
check the logs - maybe a rule blocks it (false positive?).

I found it ... I had to add ff02::1 to home networks in suricata settings. This is probably the case because following option was disabled for dhcpv6 client configuration:

Code Select
Use IPv4 connectivity

But with 17.x it must have worked because I know that I had it running like that at some point in time ... But maybe it would make sense to add ff02::1 to home networks by default.
April 10, 2018, 05:22:28 PM #7
Huh, now it's gone again :( I need to double check ...
April 10, 2018, 05:32:31 PM #8
Ok, I need to continue research ... at first I thought it was because I added ff02::1 to home networks ... but then I noticed that the IPS button was not active ... so I activated it and again it did not work ... so I removed ff02::1 again and now it works by restarting suricata ... go figure.

I just can't find anything in the logs that gives me a direction to continue analysis. Where can I find details on console if suricata IPS drops something?
April 10, 2018, 06:20:51 PM #9
And after renewing the lease of the FritzBox it does not work anymore ... at all ... even with IPS off ...

EDIT: there are multiple dhcp6c running:

Code Select
root@OPNvirt:~ # ps aux | grep dhcp6c
root    2294   0.0  0.1 1074180   2812  -  Ss   18:04    0:00.02 /usr/local/sbin/dhcp6c -dn -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_
root   13561   0.0  0.1 1074180   2812  -  Ss   18:10    0:00.00 /usr/local/sbin/dhcp6c -dn -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_
root   24167   0.0  0.1 1074180   2820  -  Is   18:05    0:00.00 /usr/local/sbin/dhcp6c -dn -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_
root   72817   0.0  0.1 1074180   2816  -  Is   18:11    0:00.00 /usr/local/sbin/dhcp6c -Dn -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_


EDIT2: after a reboot it at least get's the IPv6 address again if IPS is disabled ... need to do some other work now :(
April 10, 2018, 07:41:08 PM #10
The multi dhcp6c should be a thing of the pasta in 18.1.7 due to Martin's work. We're almost there...


Cheers,
Franco
April 10, 2018, 08:30:11 PM #11
Hi Franco,

great ... if there is any patch to test, just let me know :)

In the meantime I create some debug logs (which works with 18.1 :) )

- with IPS enabled:

Code Select
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: a new XID (601c8d) is generated
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set client ID (len 14)
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set elapsed time (len 2)
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set option request (len 4)
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set IA_PD prefix
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set IA_PD
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: send solicit to ff02::1:2%igb1
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: reset a timer on igb1, state=SOLICIT, timeo=0, retrans=1091
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: Sending Solicit
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set client ID (len 14)
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set elapsed time (len 2)
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set option request (len 4)
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set IA_PD prefix
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set IA_PD
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: send solicit to ff02::1:2%igb1
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: reset a timer on igb1, state=SOLICIT, timeo=1, retrans=2083
Apr 10 20:20:49 OPNvirt dhcp6c[35283]: Sending Solicit


- with IPS disabled:

Code Select
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: a new XID (31012e) is generated
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set client ID (len 14)
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set elapsed time (len 2)
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set option request (len 4)
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set IA_PD prefix
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set IA_PD
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: send solicit to ff02::1:2%igb1
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: reset a timer on igb1, state=SOLICIT, timeo=0, retrans=1091
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: receive advertise from fe80::2656:11ff:fe6c:3174%igb1 on igb1
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option client ID, len 14
Apr 10 20:22:32 OPNvirt dhcp6c[53019]:   DUID: 00:01:00:01:22:0f:8a:61:f4:ce:46:a8:9b:f4
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option server ID, len 10
Apr 10 20:22:32 OPNvirt dhcp6c[53019]:   DUID: 00:03:00:01:24:65:11:6c:37:14
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option preference, len 1
Apr 10 20:22:32 OPNvirt dhcp6c[53019]:   preference: 0
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option DNS, len 16
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option opt_86, len 16
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: unknown or unexpected DHCP6 option opt_86, len 16
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option IA_PD, len 41
Apr 10 20:22:32 OPNvirt dhcp6c[53019]:   IA_PD: ID=0, T1=1800, T2=2880
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option IA_PD prefix, len 25
Apr 10 20:22:32 OPNvirt dhcp6c[53019]:   IA_PD prefix: 2a03:f590:c803:f1f0::/60 pltime=3600 vltime=335467976956320800
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: server ID: 00:03:00:01:24:65:11:6c:37:14, pref=0
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: reset timer for igb1 to 0.996209


So with IPS enabled the advertise is not received ... I will install Wireshark so I can trace on the Fritzbox if the advertise is sent in both cases. Is there anything else I can test?

Thanks,

    Space
April 10, 2018, 08:33:53 PM #12
Hi Space,

If you can you could test the development version that comes with 18.1.6. I have this running in my office with DHCPv6 on WAN. dhcp6c won't get stuck, but I'm not sure if Suricata will allow the IPv6 packets to flow. If it's that then maybe Suricata is running on WAN and blocking your requests/responses prematurely?


Cheers,
Franco
April 10, 2018, 11:20:40 PM #13
Hi Franco,

I have upgraded to the dev version and rebooted. Directly after the reboot IPv6 was available on all interfaces (because suricata service was not yet started). As soon as suricata was running IPv6 became unavailable on the internal interfaces and only the WAN interface still has an IPv6 IP.

FYI: I have suricata enabled only on the WAN interface. Home networks are only the ones from the internal interfaces but not the network from the WAN interface. But even when I added that as home network as well it did not make any difference.

Since it did work with 17.7.x ... what was upgraded when moving to 18.1? Do we have a new suricata version?

Cheers, Space
April 11, 2018, 12:22:16 AM #14
Quote from: franco on April 10, 2018, 07:41:08 PM
The multi dhcp6c should be a thing of the pasta in 18.1.7 due to Martin's work. We're almost there...


Cheers,
Franco

Pasta?

Were you hungry when you typed the message?  :P
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
Print
Go Up Pages1 2 3
User actions