HE tunnel broker questions
-
Hello fellow netgate community. Can you please help?
I’m having issues or concerns with the IPv6 tunnel. Does snort still function and check for traffic on the wan connection if there’s a tunnel established? Or do I need to create a separate snort instance that Interface? My squid proxy does function and blocks traffic even if they are of IP6 Destination for my blocked destinations as it looks at the header. This is new to me and with new things it’s kind of Scary. Is my system still protected with my ACLs that are already established with ip4 Traffic originally? The firewall I assume is allowing connections to IPV6 as they are just different ipv6 connections. I have the tunnel established and working However, I’m afraid to leave it on with data loss on my Nas or something of that sort. Is there any security recommendations, That you can tell me about? I was with the first group of netacad students for Cisco training many years ago, ipv6 at that time was only talked about as the future of internet and was not used yet, it seems to be widely deployed now. Again, ISPs in our area only provide IPV4
-
With activation of the IPV6 Inside my system, I noticed a large increase on the AC identification numbers. I went from 88 on one alc to 125. It seems that the auto added rules are vast once the IP6 is activated inside the firewall.
-
@JonathanLee my wife is also making fun of me for using the text to speech. She asked me if Siri is deaf. I’m not that old.
Anyway I guess I am afraid of the new stuff, can Snort still check it for invasive actors? If my hosts are only ipv4 and access a ipv6 does that work because the test site says that the browser is blocking ipv6 everything else is ok. I can see ipv6 traffic in the proxy going randomly with Facebook and what not also.
-
@JonathanLee Run Suricata/Snort on LAN and then it would see both IPv4 and IPv6.
When run on WAN, it runs outside the firewall so will end up scanning a lot of extra traffic.
-
@SteveITS I like the wan side it took me far to long to create the surpass list and custom tune it, it took a lot of time. I understand why that is recommended. I went the old way of wan only, yes it had a ton of stuff to comb through when it was getting set up.
So you are saying it can still work? It did see the tunnels and originally was blocking them. I fixed that. I just wanted it to keep seeing open app id and other known bad hosts etc
Make sure to upvote
-
I just noticed it does detect ipv6 traffic from the tunnel, this was my major concern and Snort is working with it. HE is amazing
-
@JonathanLee said in HE tunnel broker questions:
I went the old way of wan only
The old way ?
If your uplink is rather big, like a Gigagbit or way more, it's the dangerous way.Incoming, Internet originated traffic, is normally dropped without any further actions taken.
If you decide to have that traffic analyzed by, for example, snort, then you expose yourself to a much greater DOS risk : the more traffic comes in, the harder snort is going to "snort" on it.
Now, all it takes it : I, with my bots, send you a loads of 'suspect' traffic and your firewall comes to a crawling halt.
Remember : you can not stop the the traffic coming into your WAN, only your ISP can. If you want to spend a zillion CPU cycles on every bad packet, and lots of these are coming in, your firewall will get overloaded.
