No IPv6 if IPS is active

[BeNe]

check the logs - maybe a rule blocks it (false positive?).

Where can i find the correct log file ?

My Suricata Logfile is Empty

Code Select Expand

File /var/log/suricata.log yielded no results.

Can i run suricata in foreground in verbose mode ? Maybe i can collect there some helpfull in formation

[marjohn56]

Have a look in /var/log/suricata/

[BeNe]

Nothing helpfull in here:

Code Select Expand

root@opnsense:/var/log/suricata # ls -l
total 14816
-rwx------  1 root  wheel         0 Mar 13 14:58 eve.json
-rwx------  1 root  wheel  15107202 Apr 11 10:21 stats.log
root@opnsense:/var/log/suricata #

stats.log

Code Select Expand


/var/log/suricata # tail -n 50 stats.log
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
capture.kernel_packets                     | Total                     | 19318
decoder.pkts                               | Total                     | 19318
decoder.bytes                              | Total                     | 5919169
decoder.ipv4                               | Total                     | 16498
decoder.ipv6                               | Total                     | 2806
decoder.ethernet                           | Total                     | 19318
decoder.tcp                                | Total                     | 16479
decoder.udp                                | Total                     | 2611
decoder.icmpv4                             | Total                     | 166
decoder.icmpv6                             | Total                     | 43
decoder.teredo                             | Total                     | 2
decoder.avg_pkt_size                       | Total                     | 306
decoder.max_pkt_size                       | Total                     | 1506
flow.tcp                                   | Total                     | 129
flow.udp                                   | Total                     | 255
flow.icmpv6                                | Total                     | 15
tcp.sessions                               | Total                     | 109
tcp.syn                                    | Total                     | 120
tcp.synack                                 | Total                     | 136
tcp.rst                                    | Total                     | 32
tcp.stream_depth_reached                   | Total                     | 1
tcp.overlap                                | Total                     | 4
app_layer.flow.http                        | Total                     | 45
app_layer.tx.http                          | Total                     | 47
app_layer.flow.smtp                        | Total                     | 6
app_layer.tx.smtp                          | Total                     | 6
app_layer.flow.tls                         | Total                     | 35
app_layer.flow.failed_tcp                  | Total                     | 4
app_layer.flow.dns_udp                     | Total                     | 220
app_layer.tx.dns_udp                       | Total                     | 220
app_layer.flow.failed_udp                  | Total                     | 35
flow_mgr.closed_pruned                     | Total                     | 20
flow_mgr.new_pruned                        | Total                     | 138
flow.spare                                 | Total                     | 10002
flow_mgr.flows_checked                     | Total                     | 7
flow_mgr.flows_notimeout                   | Total                     | 5
flow_mgr.flows_timeout                     | Total                     | 2
flow_mgr.flows_timeout_inuse               | Total                     | 1
flow_mgr.flows_removed                     | Total                     | 1
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65528
flow_mgr.rows_empty                        | Total                     | 1
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 2867200
tcp.reassembly_memuse                      | Total                     | 903192
dns.memuse                                 | Total                     | 48189
http.memuse                                | Total                     | 7837
flow.memuse                                | Total                     | 6817024


--> decoder.icmpv6                             | Total                     | 43
May there is icmp blocked ? But there is nothing in the logs.

Enable suricata => No problems, no Logs
Enable IPS Mode => No more IPv6 prefix for the lan (WAN IPv6 still exists), no Logs

I just enabled the four abuse.ch List - not more.

Suricata is running on WAN.

[marjohn56]

Perhaps your prefix is on one of the abuse lists.  :)

[marjohn56]

I assume opnsense is showing a v6 address on its LAN, so dhcp6c is doing its job?

[BeNe]

No IPv6 Address on the LAN side, only WAN.

Perhaps your prefix is on one of the abuse lists.

possible but very unlikely.

i disabled ALL rules now - enabled IPS Mode and all IPv6 Adresse on LAN are gone.
If i disable IPS Mode all IPv6 are back.

I also enabled the Syslog option. Thats the complete log:

Code Select Expand


Apr 11 12:16:47 suricata[95611]: [100109] <Notice> -- all 5 packet processing threads, 4 management threads initialized, engine started.
Apr 11 12:16:45 suricata: [100650] <Notice> -- This is Suricata version 4.0.4 RELEASE
Apr 11 12:16:45 suricata[37587]: [100123] <Notice> -- Stats for 'igb1': pkts: 6765, drop: 0 (0.00%), invalid chksum: 0
Apr 11 12:16:44 suricata[37587]: [100123] <Notice> -- Signal Received. Stopping engine.
Apr 11 12:15:57 suricata[37587]: [100123] <Notice> -- all 1 packet processing threads, 4 management threads initialized, engine started.
Apr 11 12:15:55 suricata: [100179] <Notice> -- This is Suricata version 4.0.4 RELEASE


[marjohn56]

I cannot replicate this. On my VM test machine I have enabled IPS and IPv6 is fine on my LAN side.

Is this an upgrade or fresh install?

[BeNe]

This is an Upgrade. Was fresh installed with 18.x branch 2 months ago.
I use VLAN on my LAN side. Maybe this is a point ?

How can i get some logs ? Suricata´s logs is not that helpfull (as you can see some post before)

[marjohn56]

Have you had it working at all on an earlier version?

As it works flawlessly on my test system using a VM with one WAN and two LAN's It would seem it may well have something to do with VLANs. I don't use them so cannot give you any advice there.

[BeNe]

Have you had it working at all on an earlier version?

Not on OPNsense. It was a pfSense before  ::)

Thanks for your help. Going to collect some info´s about.

[Space]

But I had it running on 17.7.x without issues (after some fights and several releases) :)

[john9527]

Just a bump to add that I am also seeing the same or similar behavior.  No VLANs, running on WAN interface.
Originally posted in
https://forum.opnsense.org/index.php?topic=8527.0

[john9527]

Any new info from the develpment team?  Or should I open an issue in  Github?

Still present on 18.1.8

[Til]

I'm having a similar issue with a 18.7.4 (upgraded from 18.1.x). When switching on IPS mode, the internal interfaces immediately loose their IPv6 adresses, an the DHCPv6 fails to start. I'm seeing this log line:

dhcpd: /etc/dhcpdv6.conf line 10: expecting a parameter or declaration

Strange thing is.. that file doesn't even exist when IPS is off, but then DHCPv6 works flawlessly.

Anyone have a suggestion on this?  Maybe it's an upgrade issue?

[marjohn56]

Can you post your dhcpd6.conf for both states?


You'll find it in /var/dhcpd/etc