Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Source IP is WAN - need to know LAN IP?

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      spittlbm
      last edited by

      Snort is blocking an outbound Fiesta Kit from my network.  In the logs/General, it's only showing the WAN IP address.  How do I find the offending LAN IP address so I can go clean that machine?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by

        Short answer is you can't.  The longer answer is maybe you could if you did a bunch of packet captures on the LAN and WAN and tried to decode the NAT ports.

        Do a quick search here in this sub-forum for "Snort on LAN or WAN" and you should get some hits.  I recommend users put Snort on their LAN interface when they operate in a NAT environment (as nearly all of the pfSense users here do).  That way Snort sees traffic before the NAT rules have been applied, so your LAN clients' true IP addresses will appear in the alerts.  When you run Snort on the WAN only, then Snort sees traffic after NAT rules have been applied for outbound traffic and before NAT rules are applied for inbound traffic.  So in both instances Snort sees only your WAN IP as the "local address".

        UPDATE:  I should have stated in my earlier post that you can quickly swap Snort from WAN to LAN by simply going to the INTERFACE SETTINGS tab and changing the interface drop-down selection from WAN to LAN and save the change.  Don't forget to also change the description field.  That field is purely for labeling, but it might get confusing later if the description said "WAN" but the actual interface selected is the LAN.

        Bill

        1 Reply Last reply Reply Quote 0
        • 2 Offline
          2chemlud Banned
          last edited by

          …just to add that you simply press the "Download" button on the alert page and get a packed container with captures you can open in wireshark to see what was going on... ;-)

          1 Reply Last reply Reply Quote 0
          • S Offline
            spittlbm
            last edited by

            Thanks for the help!

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              If you know the characteristics of the traffic you might be able to get it out of Diagnostics > States

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.