Good morning everyone,
We're currently facing an issue with Suricata logs (eve.json) still capturing IPv6 traffic, even though IPv6 has been explicitly disabled via Network Manager on the Ubuntu VM.
Despite this configuration, the VM's NIC is still receiving IPv6 packets, which suggests that either the IPv6 stack is still active somewhere, or the hypervisor is injecting or allowing IPv6 traffic through.
For context, the Proxmox VM is connected to two bridged NICs:
1) A promiscuous-mode NIC, used to receive all traffic mirrored from a physical switch port (this is by design, as the VM acts as a passive traffic analyzer).
2) A management NIC for regular access.
IPv6 has been explicitly disabled on both interfaces, on both the Ubuntu guest and the Proxmox host sides (Network Manager and the Proxmox GUI where applicable).
That said, we’d like to be 100% certain that Proxmox VE is not assigning, injecting, or otherwise passing any IPv6 traffic to the Ubuntu VM.
Any insights on how to fully eliminate IPv6 at the hypervisor level—or to verify whether Suricata is simply picking up this traffic passively from the mirrored switch port—would be greatly appreciated.
Below part of my /etc/network/interfaces about the NIC in promiscuous mode
Thanks in advance!
Edit:
i just noticed i've posted in wrong forum gg
We're currently facing an issue with Suricata logs (eve.json) still capturing IPv6 traffic, even though IPv6 has been explicitly disabled via Network Manager on the Ubuntu VM.
Despite this configuration, the VM's NIC is still receiving IPv6 packets, which suggests that either the IPv6 stack is still active somewhere, or the hypervisor is injecting or allowing IPv6 traffic through.
For context, the Proxmox VM is connected to two bridged NICs:
1) A promiscuous-mode NIC, used to receive all traffic mirrored from a physical switch port (this is by design, as the VM acts as a passive traffic analyzer).
2) A management NIC for regular access.
IPv6 has been explicitly disabled on both interfaces, on both the Ubuntu guest and the Proxmox host sides (Network Manager and the Proxmox GUI where applicable).
That said, we’d like to be 100% certain that Proxmox VE is not assigning, injecting, or otherwise passing any IPv6 traffic to the Ubuntu VM.
Any insights on how to fully eliminate IPv6 at the hypervisor level—or to verify whether Suricata is simply picking up this traffic passively from the mirrored switch port—would be greatly appreciated.
Below part of my /etc/network/interfaces about the NIC in promiscuous mode
Code:
iface enp2s0 inet manual
up /sbin/ip link set $IFACE promisc on
auto vmbr1
iface vmbr1 inet manual
bridge-ports enp2s0
bridge-stp off
bridge-fd 0
up /usr/sbin/brctl setageing vmbr1 0
up /usr/sbin/brctl setfd vmbr1 0Thanks in advance!
Edit:
i just noticed i've posted in wrong forum gg
Last edited: