@newbieuser1234:
This sounds dumb,but how would I interact with the gui? what IP's would I assign on the WAN and opt. Would the opt1 (the other side of the bridge) be the same IP as the router behind it? just a bit confused on the IP addressing. Thanks again for all your help with this.
Sorry for taking so long to respond. Been a bit busy around here ;D
Interacting with the gui is done through the LAN interface. That's why I suggested "pfsense can easily be used as a transparent bridge, see http://forum.pfsense.org/index.php/topic,20917.0.html and adapt accordingly. Don't forget allow any>any on both interfaces, and DO NOT use the lan interface as a member of the bridge."
pfsense works exactly the same (from a web gui USER's point of view) whether it's running as a bridge or a routing platform. As long as the LAN interface has a valid private ip and there is a rule allowing access to the webgui port, plugging something into the LAN will allow you to administer the box. The important thing to remember is that bridged interfaces have NO IPs, which means that you have to be careful with your rules (eg I have rules disallowing traffic not belonging to an interface's subnet from passing through the firewall, which wouldn't work with a bridge).
A common use case for this is a fully transparent firewalling bridge, which allows for traffic control both ways of the bridge. The bonus is that the bridge is completely invisible on both sides of it (WAN/DMZ), unless you sift through each and every packet observing changes in the packet as it goes through the bridge (which no sane person will do). The LAN interface is used to monitor and administer the bridge, just like I said above. A random tip: do NOT try setting up a bridged CARP cluster without doing your research first.
Back on track:
pfsense box with snort plugin
no ip assigned on WAN/OPT1
Bridge WAN/OPT1 and set up LAN interface with a valid private ip.
webgui allow rule on LAN.
Set up snort as mentioned above
Enjoy :)
EDIT: hit go button too soon. A few thoughts popped up in my head after posting:
A fully transparent bridge should not be able to get on the internet. This means NO communications with the "outside world" which in turn means NO updates, NO snort rule updates (no ip assigned on the WAN, remember? ;) )
A transparent bridge with internet is a bit different. If you have multiple static IPs, just assign one to the wan and proceed with bridging (yes even if it has an IP, yes I've tested a Frankenstein hybrid routing/bridged monster and it works perfectly, even LAN to OPT1 which according to documentation shouldn't work). If you don't have multiple static IPs a bit of default routes/nat will be needed. Basically since pfsense has no sense of other networks when used as a bridge, packets coming from itself will not know where to go or where they are coming from, and need a little "push" to get "out there" :D
