Hi There,
I am trying to setup Suricata IPS using the AF_PACKET mode. I don’t want to use OPNSense or PFSense as I want to use my Nest Wifi in mesh mode - therefore, I am using Suricata installed on Ubuntu.
I initially did the setup by having 1 NIC attached to router and other NIC to my computer and tested everything and it worked perfectly. I copied the exact same settings from the documentation (I renamed my interfaces in netplan to eth0/eth1, as needed) -
af-packet:
- interface: eth0
threads: 1
defrag: no
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: eth1
buffer-size: 64535
use-mmap: yes - interface: eth1
threads: 1
cluster-id: 97
defrag: no
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth0
buffer-size: 64535
use-mmap: yes
After this, I made this a bridge between WAN and LAN. For some reason, I was only showing me IPv6 and not IPv4 (when doing ifconfig) and the reject/drop rules had no effect.
I tried to disable IPv6 using -
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
After this, I am seeing IPv4 for eth0 (provided by Spectrum) but the Suricata bridge doesn’t work anymore.
Does the AF_Packet mode not work between WAN and LAN as I want it to? If not, what are my options?
FYI - Just for testing purposes, I placed additional router in between Spectrum modem and Ubuntu box and it works fine but there is dual packet loss and the internet speed changes from 485 Mbps (without router or Suricata) to 450 Mbps (with just the additional router and no Suricata) to 380 Mbps (with both Suricata and additional router).
Please help.
Regards,
Ashish