Snort on LAN (beginner)

RickTosch

Good day,

Snort on LAN and not WAN?
I found this question being asked several times on this forum and general consensus was "go with Snort on LAN if using NAT".
PLEASE FORGIVE me for bringing this up yet one more time. I am trying to wrap my head around this and by creating a silly post obviously having issue with that.
In layman's terms, my understanding is that I want to block the bad guys' attempts to compromise network (DDOS for example) on the WAN part of the firewall, before getting to LAN.
So Why LAN?
Am I misunderstanding IPS completely? or above is the firewall's job?

My home network is very simple:

PCs
  |
LAN (172.16.0.0)
  |
pfSense
  |
WAN (192.168.0.0)
  |
ISP Router
  |
Internet

I have double NAT going on, maybe this is where I am getting confused.
Thank you very much!

fsansfil

You kinda always need a firewall in front/inline.
Otherwise you would be processing malicious packets sent against your IDS
or jsut processing useless packets that a firewall could have drop faster.

To block ports,ip,protocol = firewall
To block domains,url,user agent = proxy
To block patterns, evasion/obfuscation kunfu, malware, deep packet inspection with complex regex = IDS

F.