Suricata

Hi,

Variants of PPPoE do not seem to work: traffic is passed cleanly without being inspected/dropped by the engine. We are not sure if Suricata itself or FreeBSD or both in combination will cause these issues.

Reports seem to indicate that this used to be working in FreeBSD 10.2 with Suricata 3.0, but as we are unable to reproduce in a lab env it's hard to narrow down at the moment.

OPNsense currently uses 3.1.2 and FreeBSD10.3.

What further logging / output can we gather from affected users to see what's happening?

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6>
        ether xx:xx:xx:xx:xx:xx
        inet6 fe80::230:18ff:fec5:8cd1%igb0 prefixlen 64 scopeid 0x1
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb0_vlan35: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether xx:xx:xx:xx:xx:xx
        inet6 fe80::230:18ff:fec5:8cd1%igb0_vlan35 prefixlen 64 scopeid 0xa
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 35 parent interface: igb0
pppoe0: flags=289d1<UP,POINTOPOINT,RUNNING,NOARP,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1492
        inet6 fe80::230:18ff:fec5:8cd1%pppoe0 prefixlen 64 scopeid 0xb
        inet6 fe80::230:18ff:fec6:2554%pppoe0 prefixlen 64 scopeid 0xb
        inet xxx.xxx.x.xx --> xxx.xxx.x.x netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Original threads:
https://forum.opnsense.org/index.php?topic=3630
https://forum.opnsense.org/index.php?topic=3795