Consider all network as External Net even other local network



  • Hi,
    On my pfSense I have 1 WAN and 4 LANS, I configure Suricata on 4 LAN interfaces.
    By default, External Net list exclude local LAN addresses. I would like to consider all network even other local network as external net so I created an empty list and assigned it to External Net in Suricata. Is it the best way to do it ?
    Example : LAN1 is for server, LAN2 is for laptop, I want to consider LAN2 as external network to be sure to apply maximum rules, like if traffic come from WAN.
    Best Regards
    Fabrice



  • No, to be honest that is not the best solution. You should basically never monkey with the default definitions of EXTERNAL_NET and HOME_NET. If you do, you had better fully understand why you need to do that as you likely invalidate a large majority of the rules in the standard Snort and Emerging Threats collections when changing those two variables. Those rules depend on EXTERNAL_NET and HOME_NET being properly defined.

    Why do you think you need to change the EXTERNAL_NET definition?



  • I will try to explain my thought with HTTP example :
    WAN (443 TLS request)->DMZ (80 request)->LAN1 (servers)
    I setup a DMZ with servers exposed to internet (I'm hosting services, like web server), on this interface rules applies well because request comme from Internet (External net). Then request is forward to LAN1 on port 80 so suricata can inspect request even if it was HTTPS at DMZ interface side. Problem is currently DMZ is considered as Home net so suricata rules on LAN1 interfaces is not apply correctly.
    I would like to consider DMZ as External net on LAN1 interface suricata.

    Since my first message, I changed configuration of Home net an External net. I created a "passlist" with WAN IP and an alias with my LAN1 network. I applaied this passlist to Home net of suricata interface and set External net as default.
    Now it seems better to me, Home net contain onlt LAN1 adresses and not the other LAN adresses, and External net exclude only LAN1 adresses.



  • In that case you will need to use customized Pass Lists as you stated. I will look into adding the HOME_NET and EXTERNAL_NET variables to the list on the VARIABLES tab so they can more easily be customized by the user without resorting to customized Pass Lists.



  • Hi,
    I post this information on this thread because we talk about pass list improvement.
    When I check "VPN Addresses" to create a custom HOME_NET list, IPv4 network is OK but IPv6 network of my OpenVPN is not added.


Log in to reply