English Forums > Intrusion Detection and Prevention

Suricata IPS mode kills IPv6

(1/1)

john9527:
I had been running Suricata in IDS mode on the wan interface for several days without problems and things looked reasonable for the rules I had selected, so today I tried to enable IPS mode.   This killed my IPv6 connectivity.    It looks like IPS mode causes a restart of the wan interface.  From the syslog,

Apr 25 19:45:31   kernel: igb0: link state changed to DOWN
Apr 25 19:45:31   opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Apr 25 19:45:32   opnsense: /usr/local/etc/rc.newwanipv6: IP renewal is starting on 'igb0'
Apr 25 19:45:32   opnsense: /usr/local/etc/rc.newwanipv6: On (IP address: ) (interface: WAN[wan]) (real interface: igb0).
Apr 25 19:45:32   opnsense: /usr/local/etc/rc.newwanipv6: Failed to detect IP for WAN[wan]
Apr 25 19:45:32   opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 68.xxx.xxx.xxx.
Apr 25 19:45:35   kernel: igb0: link state changed to UP

Not a lot of chance of a renew when the link is down.   In rc.newwanipv6 it defers the renew if booting.  Should similar logic be applied if the interface is down?

BeNe:
Yes! There is already a thread open --> https://forum.opnsense.org/index.php?topic=7666.0
I still had not time to debug  and spend some more informations about it.

john9527:
Thanks for the pointer....my google-foo failed me (I do try and search before starting a new thread).

I'll follow the other thread.   Thanks again.

Navigation

[0] Message Index