Suricata 4.1.4_3 Inline Blocking and VLANs



  • Hi All

    So i tried enabling Inline Blocking on all my interfaces today but noticed an issue

    My interfaces are as follows:

    • LAN - igb1
    • OPT1 - igb1.20
    • OPT2 - igb1.21

    Now for the issue

    • Running Inline on OPT1 and OPT2, with Legacy on LAN works fine but is kind of a redundant use
    • Running Inline on all interfaces stops all connections to OPT1 and OPT2
    • Starting OPT1 and OPT2 with LAN set to inline but turned off works fine, the second LAN is started, it again blocks all connections to OPT1 and OPT2

    It looks like the pipe being setup for LAN is actually messing up the pipes for the VLANs
    For instance, if i set LAN to Legacy Only, i can see some Alerts for OPT1 and OPT2 under LAN

    My only thought is to remove Suricata from OPT1 and OPT2, and run all checks on the LAN instead but OPT1 and OPT2 really do have different requirements on them

    Any ideas? I may just be trying to do something impossible so happy to be told to stop being daft ☺

    Regards,
    Jamie



  • Let me look into this in more detail. I will confess to not doing much testing with Inline IPS Mode and VLANs for either the Suricata or Snort package. I did some Google research after reading your post, and that research has given me some ideas to test.

    For now just use Legacy Mode blocking with Suricata until I sort something out with the VLAN tags.



  • Perfect, thank you

    If you need any logs or anything from me, let me know

    Right now i have OPT1 and OPT2 as inline and LAN and Legacy Mode and it seems fine.
    Its likely to affect a fairly limited number of people right now so no rush on my side for this and i'm happy to trial anything you need

    Regards,
    Jamie


Log in to reply