Hello All,
I would like to ask for help and advice regarding the following:
I’m trying to use Suricata as an IPS on a Raspberry Pi that is configured as Wi-Fi Bridge.
OS: Ubuntu Server 20.04
Hardware: Raspberry Pi 4 2GB
I used hostapd and netplan to configure the Wi-Fi and the bridge, it works fine.
The RPi is connected to my broadband router via Ethernet, and it broadcasts a Wi-Fi network.
The devices that join the Wi-FI of the RPI get allocated an IP from my router, I don’t create a separate network for the Wi-Fi broadcast by the RPi.
The devices have Internet access so the Wi-Fi bridge mode works as expected.
However, I cannot drop packets when running Suricata in IPS mode with NFQUEUE.
When I run suricata in monitoring mode: suricata -i br0, it sees all the traffic from/to the devices connected to the Wi-Fi broadcast by the RPi.
However, when I run suricata in NFQUEUE IPS mode it does not see the traffic from the devices.
I tried using the forwarding rule, but very few packets are forwarded to the NFQUEUE when I check with iptables -vnL:
sudo iptables -I FORWARD -j NFQUEUE
I used to run suricata in IPS like this with a bridge interface used for Qemu VMs and it worked fine, but it doesn’t work for the Wi-Fi bridge.
The IPS mode works when a secondary network is created, but doesn’t work when the Wi-Fi is bridged, i.e. the devices get an IP from the router not from a subnet for the RPi.
Do you think I’m missing something or should I apply any other routing/firewall rules to make this setup work?
Many Thanks