Suricata 4.1.4_3 Inline Blocking and VLANs
-
Hi All
So i tried enabling Inline Blocking on all my interfaces today but noticed an issue
My interfaces are as follows:
- LAN - igb1
- OPT1 - igb1.20
- OPT2 - igb1.21
Now for the issue
- Running Inline on OPT1 and OPT2, with Legacy on LAN works fine but is kind of a redundant use
- Running Inline on all interfaces stops all connections to OPT1 and OPT2
- Starting OPT1 and OPT2 with LAN set to inline but turned off works fine, the second LAN is started, it again blocks all connections to OPT1 and OPT2
It looks like the pipe being setup for LAN is actually messing up the pipes for the VLANs
For instance, if i set LAN to Legacy Only, i can see some Alerts for OPT1 and OPT2 under LANMy only thought is to remove Suricata from OPT1 and OPT2, and run all checks on the LAN instead but OPT1 and OPT2 really do have different requirements on them
Any ideas? I may just be trying to do something impossible so happy to be told to stop being daft
Regards,
Jamie -
Let me look into this in more detail. I will confess to not doing much testing with Inline IPS Mode and VLANs for either the Suricata or Snort package. I did some Google research after reading your post, and that research has given me some ideas to test.
For now just use Legacy Mode blocking with Suricata until I sort something out with the VLAN tags.
-
Perfect, thank you
If you need any logs or anything from me, let me know
Right now i have OPT1 and OPT2 as inline and LAN and Legacy Mode and it seems fine.
Its likely to affect a fairly limited number of people right now so no rush on my side for this and i'm happy to trial anything you needRegards,
Jamie
