2 or Not 2 put Suricata on a 2nd LAN port?



  • Hello All
    I am wanting to use Suricata on our pfSense box and wondering if I should use a 2nd LAN connection so Suricata won't impact the bandwidth on the main LAN port. Is that a good idea or not?
    Thank You for any input good or bad.



  • @necs-gungaro said in 2 or Not 2 put Suricata on a 2nd LAN port?:

    Hello All
    I am wanting to use Suricata on our pfSense box and wondering if I should use a 2nd LAN connection so Suricata won't impact the bandwidth on the main LAN port. Is that a good idea or not?
    Thank You for any input good or bad.

    Your logic is flawed. Suricata impacts your firewall by needing CPU time to process packets. Putting it on a second LAN interface does nothing to change that. Suricata still uses the same amount of CPU to process packets no matter what firewall interface it is running on (assuming the same rules are used).

    So the answer to your question is "no", that is not a good idea. Just put Suricata on the LAN. Now, if you mean put Suricata on a totally separate box hanging off of a different switch port configured for port mirroring within the switch, then "yes", that would save CPU cycles on your firewall. Of course in this configuration, Suricata could never block traffic. It could only see it and alert on it. Plus you need a very capable managed switch to set up the port mirroring and be able to handle the traffic load from the mirroring.



  • @bmeeks Thank you for your candid answer bmeeks. Duly noted and will not be attempted.