Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to skip/bypass fully ignore subnet.

    IDS/IPS
    2
    6
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      itNGO
      last edited by

      Hello,

      maybe someone can explain how and where exactly create config to completely ignore a subnet from all Suricata Inspection.

      Some docs state about "Advanced Configuration Pass-Through" to put
      "not host 1.2.3.4/24" but I am missing the correct syntax.
      Whatever I enter here, the interface does not start anymore.

      Thank you

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        No, using the Advanced Pass-Through is incorrect advice. In order to use the syntax suggesed you would also have to create a custom BPF configuration as that is not part of the normal package setup on pfSense.

        The most expedient way to do this is to go to the RULES tab for the interface and select Custom Rules in the rules category drop-down. Then enter a custom rule like this one and save it.

        pass ip 1.2.3.0/24 any <> any any (msg:"pass all traffic from/to 1.2.3.0/24"; sid:2000000;)
        

        This rule will let all traffic (all ports and protocols) originating from, or heading to, the 1.2.3.0/24 subnet pass uninspected. It is key to note here that this network will bypass ALL Suricata inspection and alerting.

        Make sure you choose a SID that is not a duplicate of any other. In my example I choose 2 million (2000000), but whatever you choose, just make sure every rule SID (signature ID) is unique.

        1 Reply Last reply Reply Quote 1
        • I
          itNGO
          last edited by

          Hello bmeeks,

          thank you for the explanation.
          I guess this will do the job.

          But one question. This would mean the the "traffic" will pass through the IPS-Engine but allowed "always".

          Is there a way to exclude the traffic at all for some subnet. Sophos UTM for example can do this. Its just to get the maximum throughput for a specific "subnet" which is already monitored by IPS elsewhere.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Not possible to have specific subnets bypass the IPS engine on pfSense due to the way the plumbing works. But when using IDS-only mode, or Legacy Blocking Mode, it really does not matter anyway as Suricata in those modes uses libpcap to obtain copies of packets as they traverse an interface. So the Suricata engine is not in the direct line of packet processing.

            Another frequently misunderstood fact about Suricata (especially on pfSense platforms) is where the actual engine sits in the packet path. It sits directly behind the NIC and in front of the firewall engine. So Suricata will ALWAYS see packets before the firewall rules are applied. In Legacy Blocking Mode or IDS-only mode, Suricata sees packets about the same time as the firewall (due to the packet copying), but in either case (Inline IPS Mode, IDS-only mode, or Legacy Blocking Mode), Suricata sees traffic before any firewall rules in place on the interface are evaluated.

            I 1 Reply Last reply Reply Quote 1
            • I
              itNGO @bmeeks
              last edited by

              @bmeeks 👍 Thank you..... Perfect working now....

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @itNGO
                last edited by bmeeks

                @itNGO said in How to skip/bypass fully ignore subnet.:

                @bmeeks 👍 Thank you..... Perfect working now....

                One other point I should have mentioned. PASS rules are one of the very first things looked at, so when traffic matches a PASS rule the Suricata inspection pipleline is very quickly exited. PASS rules are checked for matches before any other rule, so traffic matching a PASS rule quickly exits the inspection engine, and thus there is minimal performance impact. It's not zero impact, but it is minimal.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.