Yeah, Issue #1 is the main problem I've been having, next would be Issue #1 whitelisted machines getting blocked.
Issue #1
Each change or update to the config modifies snort.conf and ,/32 is added to the HOME_NET variable, then snort fails to start, manual modifcation to change it to reflect the hosts IP is required (i.e. 10.0.1.2/32) then restart of snort
Issue #2
Snort is blacklisting whitelisted IPs, (namely my DNS servers and an additional server in my DMZ.
This may be something I have to work out on my own, but as stated my setup is
WiFi Router (external IP #1
Cable Modem–-----Hub----<
pfSense/Snotr(external IP #2
Snort picks up traffic between the WiFi router (ext IP #1) and things like my DNS servers. this is where I get the error
(snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0! [ ** ]
03/06-21:50:51.235361 [[b]External IP #1] -> [[b]DNS server]
ICMP TTL:64 TOS:0x0 ID:19164 IpLen:20 DgmLen:56 DF
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
Should I just add an additional NIC to pfSense, and rather then go inet,hub,split.. go Inet-> pfSense… thus bridging WAN to OPT1 and OPT2 on pfSense, and plug in my WiFi router into OPT2, giving it full * accesss... ( I don't wanna block anything for WiFi, I want full open access.) Only think is, snort will still function on that network as I'm listening on WAN...
Could I listen on OPT1 instead? or would snort still function?
[snort] OPT1 - Internal network
I.e. inet -> pfsense WAN <
OPT2 - DMZ WiFi
or would that work?
Rather then
OPT1 - Internal network
inet WAN [snort] <
OPT2 - WiFi DMZ