IDS behind pfsense box



  • Is there a way to configure traffic through a specific pfSense interface to go to an external IDS? I know pfsense can handle snort on the firewall itself, but the pfSense box I have right now doesn't really have the hardware to perform the threat detection that I need. I have traffic from guests on my wifi network (filtered by pfSense) that I'm planning to filter via a virtual machine on a server on a different interface behind the firewall.

    I haven't found any methods on Google so far. I was considering setting the IPS as a gateway for the guest wifi interface but that seems extremely hacky and prone to problems later.



  • If you want to operate in IDS-only mode, then the easiest method would be a SPAN port on the network switch between pfSense and the wireless network. Of course that means you need a smart managed switch that supports a SPAN port (or also known as a port mirror).



  • @bmeeks Whoa that's actually a really good idea. I never even thought of it. Thanks!

    Please bear with me because I'm new to networking. The problem is that I'm getting both traffic I don't need monitored and guest traffic on the same port (only one AP). Guest traffic is VLANed using ID 200. Can the SPAN be setup such that it only monitors traffic coming in on VLAN 200? Also, if the traffic is just mirrored, I'm guessing it can't be blocked, just processed. Correct?

    I was definitely hoping for a more pfSense only approach to allow for direct filtering and less duplication, but I'll take the SPAN approach in the meanwhile.



  • @swarm said in IDS behind pfsense box:

    @bmeeks Whoa that's actually a really good idea. I never even thought of it. Thanks!

    Please bear with me because I'm new to networking. The problem is that I'm getting both traffic I don't need monitored and guest traffic on the same port (only one AP). Guest traffic is VLANed using ID 200. Can the SPAN be setup such that it only monitors traffic coming in on VLAN 200? Also, if the traffic is just mirrored, I'm guessing it can't be blocked, just processed. Correct?

    I was definitely hoping for a more pfSense only approach to allow for direct filtering and less duplication, but I'll take the SPAN approach in the meanwhile.

    Yes, you should be able to configure the SPAN port to only mirror the VLAN 200 traffic. Although I guess that may depend on the exact type of managed switch you choose (or have).

    Correct that a SPAN port can only monitor. If you want to block, then you pretty much need an inline mode for the IDS (in which case it then becomes an IPS). Or else you would need a setup that routed all of the VLAN 200 traffic through the pfSense virtual machine with Snort running on it.

    If the server you mention is beefy enough, why not put your perimeter pfSense on it and run Snort there in blocking mode? Properly configured, that will be fine. A good many folks here run pfSense on virtual machines.



  • @bmeeks said in IDS behind pfsense box:

    @swarm said in IDS behind pfsense box:

    @bmeeks Whoa that's actually a really good idea. I never even thought of it. Thanks!

    Please bear with me because I'm new to networking. The problem is that I'm getting both traffic I don't need monitored and guest traffic on the same port (only one AP). Guest traffic is VLANed using ID 200. Can the SPAN be setup such that it only monitors traffic coming in on VLAN 200? Also, if the traffic is just mirrored, I'm guessing it can't be blocked, just processed. Correct?

    I was definitely hoping for a more pfSense only approach to allow for direct filtering and less duplication, but I'll take the SPAN approach in the meanwhile.

    Yes, you should be able to configure the SPAN port to only mirror the VLAN 200 traffic. Although I guess that may depend on the exact type of managed switch you choose (or have).

    Correct that a SPAN port can only monitor. If you want to block, then you pretty much need an inline mode for the IDS (in which case it then becomes an IPS). Or else you would need a setup that routed all of the VLAN 200 traffic through the pfSense virtual machine with Snort running on it.

    If the server you mention is beefy enough, why not put your perimeter pfSense on it and run Snort there in blocking mode? Properly configured, that will be fine. A good many folks here run pfSense on virtual machines.

    I'm working with a Netgear GS110TPv2 which is a smart pro switch. As far as I've seen, I can do anything on it that I can on a completely managed switch except VLAN routing (which I take care of in pfSense so not a problem). After looking it up, I think inline mode is what I'm trying to do, but is that possible through switch configuration?

    The server definitely has enough resources to run a virtual pfSense and do snort inspection on it. I am actually doing that already behind the main pfSense box for just the virtual machines on the server. However, wouldn't it be slightly more secure to make sure AP and traffic from other VLANs never touch the server at all?



  • @swarm said in IDS behind pfsense box:

    @bmeeks said in IDS behind pfsense box:

    @swarm said in IDS behind pfsense box:

    @bmeeks Whoa that's actually a really good idea. I never even thought of it. Thanks!

    Please bear with me because I'm new to networking. The problem is that I'm getting both traffic I don't need monitored and guest traffic on the same port (only one AP). Guest traffic is VLANed using ID 200. Can the SPAN be setup such that it only monitors traffic coming in on VLAN 200? Also, if the traffic is just mirrored, I'm guessing it can't be blocked, just processed. Correct?

    I was definitely hoping for a more pfSense only approach to allow for direct filtering and less duplication, but I'll take the SPAN approach in the meanwhile.

    Yes, you should be able to configure the SPAN port to only mirror the VLAN 200 traffic. Although I guess that may depend on the exact type of managed switch you choose (or have).

    Correct that a SPAN port can only monitor. If you want to block, then you pretty much need an inline mode for the IDS (in which case it then becomes an IPS). Or else you would need a setup that routed all of the VLAN 200 traffic through the pfSense virtual machine with Snort running on it.

    If the server you mention is beefy enough, why not put your perimeter pfSense on it and run Snort there in blocking mode? Properly configured, that will be fine. A good many folks here run pfSense on virtual machines.

    After looking it up, I think inline mode is what I'm trying to do, but is that possible through switch configuration?

    No, the only way you will be able to block with either inline mode or legacy mode is if all of the traffic must pass through pfSense to get to its final destination.

    The server definitely has enough resources to run a virtual pfSense and do snort inspection on it. I am actually doing that already behind the main pfSense box for just the virtual machines on the server. However, wouldn't it be slightly more secure to make sure AP and traffic from other VLANs never touch the server at all?

    Technically that may be true, but a properly configured ESXi box (meaning mostly the virtual networking setup) is pretty secure. It is plenty secure enough for anything domestic or commercial. True it would not pass muster to protect military or spy agency secrets, but it is fine for a home network or most small to medium-sized businesses. I personally would have no qualms using an ESXi-based pfSense firewall to police a guest wireless network and to segregate that wireless network from my other networks. After all, the guest wireless VLAN and your other VLAN networks are sharing the same physical switch aren't they? So what's the diffence with ESXi?


  • Galactic Empire

    @swarm said in IDS behind pfsense box:

    Can the SPAN be setup such that it only monitors traffic coming in on VLAN 200? Also, if the traffic is just mirrored, I'm guessing it can't be blocked, just processed. Correct?

    I was definitely hoping for a more pfSense only approach to allow for direct filtering and less duplication, but I'll take the SPAN approach in the meanwhile.

    Just run snort on vlan 200, you only see everything when you add it to the parent interface.



  • @bmeeks said in IDS behind pfsense box:

    @swarm said in IDS behind pfsense box:

    @bmeeks said in IDS behind pfsense box:

    @swarm said in IDS behind pfsense box:

    @bmeeks Whoa that's actually a really good idea. I never even thought of it. Thanks!

    Please bear with me because I'm new to networking. The problem is that I'm getting both traffic I don't need monitored and guest traffic on the same port (only one AP). Guest traffic is VLANed using ID 200. Can the SPAN be setup such that it only monitors traffic coming in on VLAN 200? Also, if the traffic is just mirrored, I'm guessing it can't be blocked, just processed. Correct?

    I was definitely hoping for a more pfSense only approach to allow for direct filtering and less duplication, but I'll take the SPAN approach in the meanwhile.

    Yes, you should be able to configure the SPAN port to only mirror the VLAN 200 traffic. Although I guess that may depend on the exact type of managed switch you choose (or have).

    Correct that a SPAN port can only monitor. If you want to block, then you pretty much need an inline mode for the IDS (in which case it then becomes an IPS). Or else you would need a setup that routed all of the VLAN 200 traffic through the pfSense virtual machine with Snort running on it.

    If the server you mention is beefy enough, why not put your perimeter pfSense on it and run Snort there in blocking mode? Properly configured, that will be fine. A good many folks here run pfSense on virtual machines.

    After looking it up, I think inline mode is what I'm trying to do, but is that possible through switch configuration?

    No, the only way you will be able to block with either inline mode or legacy mode is if all of the traffic must pass through pfSense to get to its final destination.

    The server definitely has enough resources to run a virtual pfSense and do snort inspection on it. I am actually doing that already behind the main pfSense box for just the virtual machines on the server. However, wouldn't it be slightly more secure to make sure AP and traffic from other VLANs never touch the server at all?

    Technically that may be true, but a properly configured ESXi box (meaning mostly the virtual networking setup) is pretty secure. It is plenty secure enough for anything domestic or commercial. True it would not pass muster to protect military or spy agency secrets, but it is fine for a home network or most small to medium-sized businesses. I personally would have no qualms using an ESXi-based pfSense firewall to police a guest wireless network and to segregate that wireless network from my other networks. After all, the guest wireless VLAN and your other VLAN networks are sharing the same physical switch aren't they? So what's the diffence with ESXi?

    I'm running proxmox and not ESXI although I don't think it will make too much of a difference. Yes they are sharing the same switch, but I'm curious, why does that make the difference?

    I'll look into virtualising it. Appreciate the advice.



  • @swarm: My point was that when you use VLANs on a switch the network traffic is all within the same physical hardware and you are depending on the software/firmware in the switch to keep the different packets separated. That's the same case within a hypervisor. You are depending on the hypervisor software to keep the different networks separated. So the "security risk" in my view is basically the same. I was providing a sort of counter to your argument that it would be slightly safer if the guest VLAN traffic never touched the server at all.

    I'm not familiar with Proxmox, so I can't make a judgement about it. I have used ESXi extensively, though.


Log in to reply