search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.38k stars 759 forks source link

Suricata enabled kills IPV6 #8091

Closed eitch closed 5 days ago

eitch commented 6 days ago

Important notices

It's not completely new, as it is related to: https://forum.opnsense.org/index.php?topic=8527.0 and perhaps https://github.com/opnsense/core/issues/2249

Describe the bug When suricata is enabled, IPV6 does not receive the RENEW. As soon as i disable suricata everything works as expected.

I've documented my issue here: https://forum.opnsense.org/index.php?topic=7666.30

To Reproduce

Steps to reproduce the behavior:

  1. Enable suricata with IPV6
  2. After a while the interface is disconnected and dhcp6c can't get a response to its 'Sending Solicit'

Expected behavior Suricata should not interfere with ipv6 DHCP renewal

Describe alternatives you considered Disabling suricata

Screenshots None.

Relevant log files

<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="24"] <118>*** OPNsense.lan: OPNsense 24.7.9_1 (amd64) ***
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="25"] <118>
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="26"] <118> GUEST (vlan0.900) -> v4: XX.XXX.XXX.1/24
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="27"] <118> IOT (vlan0.800) -> v4: XX.XXX.XXX.1/24
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="28"] <118> LAN (ix0)       -> v4: XX.XXX.XXX.1/24
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="29"] <118>                    v6/t6: 2a02:XXXXXXXX/64
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="30"] <118> TV7 (igb0)      -> v4: XX.XXX.XXX.1/24
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="31"] <118> WAN (ix1)       -> v4/DHCP4: XX.XX.XX.XX/25
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="32"] <118>                    v6/DHCP6: 2a02:XXXXXXXX/64
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="33"] <118> WG1 (wg1)       -> v4: XX.XXX.XXX.1/24
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="34"] <118>
<11>1 2024-11-26T11:46:50+01:00 OPNsense.lan flowd_aggregate.py 2561 - [meta sequenceId="35"] flowd aggregate died with message Traceback (most recent call last):   File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 160, in run     aggregate_flowd(self.config, do_vacuum)   File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 80, in aggregate_flowd     stream_agg_object.add(copy.copy(flow_record))   File "/usr/local/opnsense/scripts/netflow/lib/aggregates/source.py", line 117, in add     super(FlowSourceAddrDetails, self).add(flow)   File "/usr/local/opnsense/scripts/netflow/lib/aggregates/__init__.py", line 185, in add     self._update_cur.execute(self._update_stmt, flow) sqlite3.DatabaseError: database disk image is malformed 
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="36"] <118> HTTPS: sha256 XXXXXXXX
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="37"] <118>               XXXXXXXX
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="38"] <118> SSH:   SHA256 XXXXXXXX (ECDSA)
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="39"] <118> SSH:   SHA256 XXXXXXXX (ED25519)
<13>1 2024-11-26T11:46:50+01:00 OPNsense.lan kernel - - [meta sequenceId="40"] <118> SSH:   SHA256 XXXXXXXX (RSA)
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="41"] /usr/local/etc/rc.newwanipv6: plugins_configure vpn_map (,wan,lan,inet6)
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="42"] /usr/local/etc/rc.newwanipv6: plugins_configure vpn_map (execute task : ipsec_configure_do(,wan,lan))
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="43"] /usr/local/etc/rc.newwanipv6: plugins_configure vpn_map (execute task : openvpn_configure_do(,wan,lan))
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="44"] /usr/local/etc/rc.newwanipv6: plugins_configure vpn_map (execute task : wireguard_configure_do())
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="45"] /usr/local/etc/rc.newwanipv6: plugins_configure vpn (,wan)
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="46"] /usr/local/etc/rc.newwanipv6: plugins_configure newwanip (,wan)
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="47"] /usr/local/etc/rc.newwanipv6: plugins_configure vpn (,lan)
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="48"] /usr/local/etc/rc.newwanipv6: plugins_configure newwanip (,lan)
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="49"] /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (,wan,lan,inet6)
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="50"] /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : dhcrelay_configure_if(,wan,lan,inet6))
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="51"] /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : dnsmasq_configure_do())
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="52"] /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : igmpproxy_configure_do())
<12>1 2024-11-26T11:46:52+01:00 OPNsense.lan igmpproxy 52173 - [meta sequenceId="53"] select() failure; Errno(4): Interrupted system call
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="54"] /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : ntpd_configure_do())
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="55"] /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : opendns_configure_do())
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="56"] /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : openssh_configure_do(,wan,lan))
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="57"] /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : unbound_configure_do(,wan,lan))
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="58"] /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : vxlan_configure_do())
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="59"] /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : webgui_configure_do(,wan,lan))
<13>1 2024-11-26T11:46:52+01:00 OPNsense.lan opnsense 84713 - [meta sequenceId="60"] /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : wireguard_sync())
<13>1 2024-11-26T11:47:20+01:00 OPNsense.lan kernel - - [meta sequenceId="62"] 040.089948 [ 852] iflib_netmap_config       txr 8 rxr 8 txd 2048 rxd 2048 rbufsz 2048
<13>1 2024-11-26T11:47:20+01:00 OPNsense.lan kernel - - [meta sequenceId="63"] 040.089962 [ 852] iflib_netmap_config       txr 8 rxr 8 txd 2048 rxd 2048 rbufsz 2048
<13>1 2024-11-26T11:47:20+01:00 OPNsense.lan kernel - - [meta sequenceId="64"] 040.089969 [ 852] iflib_netmap_config       txr 8 rxr 8 txd 2048 rxd 2048 rbufsz 2048
<13>1 2024-11-26T11:47:20+01:00 OPNsense.lan kernel - - [meta sequenceId="65"] 040.119992 [ 852] iflib_netmap_config       txr 8 rxr 8 txd 2048 rxd 2048 rbufsz 2048
<13>1 2024-11-26T11:47:20+01:00 OPNsense.lan kernel - - [meta sequenceId="66"] <6>ix1: link state changed to DOWN
<13>1 2024-11-26T11:47:21+01:00 OPNsense.lan opnsense 48091 - [meta sequenceId="67"] /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for wan(ix1)
<13>1 2024-11-26T11:47:22+01:00 OPNsense.lan opnsense 48091 - [meta sequenceId="68"] /usr/local/etc/rc.linkup: plugins_configure dhcp (,inet6,[lan])
<13>1 2024-11-26T11:47:22+01:00 OPNsense.lan opnsense 48091 - [meta sequenceId="69"] /usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : dhcpd_dhcp_configure(,inet6,[lan]))
<13>1 2024-11-26T11:47:23+01:00 OPNsense.lan kernel - - [meta sequenceId="70"] 042.883130 [ 852] iflib_netmap_config       txr 8 rxr 8 txd 2048 rxd 2048 rbufsz 2048
<13>1 2024-11-26T11:47:23+01:00 OPNsense.lan kernel - - [meta sequenceId="71"] 042.883148 [ 852] iflib_netmap_config       txr 8 rxr 8 txd 2048 rxd 2048 rbufsz 2048
<13>1 2024-11-26T11:47:23+01:00 OPNsense.lan kernel - - [meta sequenceId="72"] 042.883159 [ 852] iflib_netmap_config       txr 8 rxr 8 txd 2048 rxd 2048 rbufsz 2048
<29>1 2024-11-26T11:47:23+01:00 OPNsense.lan dhcp6c 64385 - [meta sequenceId="73"] restarting
<29>1 2024-11-26T11:47:23+01:00 OPNsense.lan dhcp6c 64385 - [meta sequenceId="74"] Bypassing address release because of -n flag
<29>1 2024-11-26T11:47:23+01:00 OPNsense.lan dhcp6c 64385 - [meta sequenceId="75"] remove an address 2a02:XXXXXXXX/128 on ix1
<29>1 2024-11-26T11:47:23+01:00 OPNsense.lan dhcp6c 64385 - [meta sequenceId="76"] Bypassing address release because of -n flag
<29>1 2024-11-26T11:47:23+01:00 OPNsense.lan dhcp6c 64385 - [meta sequenceId="77"] remove an address 2a02:XXXXXXXX/64 on ix0

Additional context None

Environment OPNsense 24.7.9_1-amd64 FreeBSD 14.1-RELEASE-p6 OpenSSL 3.0.15 AMD Ryzen 7 5800X 8-Core Processor Intel(R) X520 82599ES (SFI/SFP+)

fichtner commented 6 days ago

Is this the solution to your Init7 DHCPv6 adventure?

For the record, I think this will be better suited to the Suricata bug tracker: https://redmine.openinfosecfoundation.org/projects/suricata

Cheers, Franco

Monviech commented 6 days ago

Is this issue before or after you set any rules to "drop"?

eitch commented 6 days ago

I didn't change this. One day it worked, the next it didn't. I've been running IPv6 and Suricata for a couple of months. But only recently realized it didn't work due to certificates not renewing, because of timeout issues on IPV6. Thus i started my IPV6 not working adventure =))

Monviech commented 6 days ago

I had IPv6 not working at some point because the rules added a multicast drop rule.

2030387 emerging-exploit.rules ET EXPLOIT Possible CVE-2020-11899 Multicast out-of-bound read

Can you please verify if you have any rules like these in your ruleset, any alerts on IPv6 multicast or unicast addresses, and if anything is dropped regarding this?

I'm using suricata with IPv6 myself and its working since 3 years after tuning the ruleset.

It could be entirely possible though that our configurations or issues differ.

eitch commented 6 days ago

Thanks, I'll check this.

eitch commented 5 days ago

Yes, this truly was the issue! Thanks for the tip!

Monviech commented 5 days ago

This rule is really sneaky, it caused me a lot of grief. :)

fichtner commented 5 days ago

To be frank the rule is probably faulty...

Monviech commented 5 days ago

So it still is considered an upstream issue then? But of the ET ruleset I guess?

fichtner commented 5 days ago

Most likely, yes.

eitch commented 5 days ago

I disabled the rule and also switched suricata to not be on the WAN, so this shouldn't happen again. Really annoying, but yes, i guess this is an issue with upstream.