Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to add a separate box for a Snort Firewall to a network?

    pfSense Packages
    3
    3
    993
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Thrae
      last edited by

      I'm having trouble figuring out how to implement the particular scheme I want:

      • Main pfSense router without Snort installed.
      • (Almost) all traffic goes through Snort transparent proxy firewall unless it takes too long to respond, in which case the pfSense box stops using the proxy until it responds in a timely fashion again.

      This would be a really long timeout, meaning the proxy box is probably down or at least extremely overloaded. The reason I want a separate box is because I've found Snort especially tends to be rather problematic on pfSense boxes, possibly taking them down, even if they are well over-spec'd.

      I'm guessing one way to do this would be to have the boxes hooked up via a crossover cable such that all requests still go to the pfSense box, but then the pfSense box itself forwards requests first through the Snort Firewall, which then goes back to the pfSense box on the same port if not blocked. Since pfSense supports Snort, I could have the other box also run pfSense and use something like CARP and pfSense's own built-in redundancy.

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by

        I dont have any issues running Snort at all here…. running on 46 individual pfsense VM's

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          @Thrae:

          I'm having trouble figuring out how to implement the particular scheme I want:

          • Main pfSense router without Snort installed.
          • (Almost) all traffic goes through Snort transparent proxy firewall unless it takes too long to respond, in which case the pfSense box stops using the proxy until it responds in a timely fashion again.

          This would be a really long timeout, meaning the proxy box is probably down or at least extremely overloaded. The reason I want a separate box is because I've found Snort especially tends to be rather problematic on pfSense boxes, possibly taking them down, even if they are well over-spec'd.

          I'm guessing one way to do this would be to have the boxes hooked up via a crossover cable such that all requests still go to the pfSense box, but then the pfSense box itself forwards requests first through the Snort Firewall, which then goes back to the pfSense box on the same port if not blocked. Since pfSense supports Snort, I could have the other box also run pfSense and use something like CARP and pfSense's own built-in redundancy.

          What you found out was not snort, nor pfsense, or anything related to them. Snort has no problem running on pfsense. If the box is well over-spec'd and taken down that means you have a lot of bigger fish to fry than snort not running. I've run snort on old hardware that should have been sent for recycling a long long time ago, analyzing traffic most users in here will never see (datacenter volume traffic), and never had an issue with snort taking down the box.

          I would not recommend adding another unnecessary box to the network.

          Credentials: Author of the snort and suricata blueprints.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.