Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Suricata Config Advice for Multi VPN

    IDS/IPS
    2
    9
    133
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gwaitsi last edited by

      I watched the video from Lawrence Systems re configuring Suricata.

      In the video he recommends not setting configuring to use it on the WAN ports because of the noise generated and the default blocking that exists anyway.

      In my config, my pfsense is connected to a cable modem (used in a router config with internal 192.x).
      I have two VPN redundant connections out from the pfsense.

      I previously used snort on configured on the WAN and VPN connections (but not on the LAN/VLANs) and saw lots of blocking. Particularly from the internal network of the VPN provider, but also from the 192 modem and 192 pfsense addresses.

      Recently, i tried to config auto-dos on my netgear switches, but they keep shutting ports down connected to the wifi access points and my linux box. I had to disable this to remain functional.

      I am out the point to install Suricata with the objective to try and stop/find what is causing the auto-dos ports disablement and will add the LAN/VLANs.

      My question is;
      in view of the recommendation from lawrence,
      if i do not add the WAN interface, should i still add the OpenVPN interface, or treat that like the WAN and not include as well?

      cheers

      DaddyGo 1 Reply Last reply Reply Quote 0
      • DaddyGo
        DaddyGo @gwaitsi last edited by DaddyGo

        @gwaitsi said in Suricata Config Advice for Multi VPN:

        My question is;

        Hi,

        Use the package maintainer's recommendation @bmeeks (Snort / Suricata)
        https://forum.netgate.com/topic/141743/best-rules-to-best-protection-in-wan-and-lan-interface/2
        😉

        G 1 Reply Last reply Reply Quote 1
        • G
          gwaitsi @DaddyGo last edited by

          @daddygo thanks for that, i will follow that, but i am still unclear about how to handle the OpenVPN client connections to my provider.

          The WAN interface has the Block Bogon & Private Networks enabled.

          1. The VPN interface does not have Block Bogin & Private Networks enabled (should i have it enabled?)

          2. should enable suricate on the VPN interface (depending on answer to 1 - i guess)

          DaddyGo 1 Reply Last reply Reply Quote 0
          • DaddyGo
            DaddyGo @gwaitsi last edited by DaddyGo

            @gwaitsi

            Let's look at the answers in a row:

            Okay then you already understand that using WAN IPS is unnecessary in terms of IDS test maybe if you are a developer and you are looking at internet noise, etc.

            @gwaitsi "The WAN interface has the Block Bogon & Private Networks enabled."
            that's okay - Since this is the WAN interface, I think you also connect to the VPN provider through this

            The VPN (client) interface is NOT a WAN interface - it is best to use it as a gateway (GW)...
            in this case, you can "route" anything through it

            in my example:

            • I have an internal interface configured just for things going through the VPN (VPNPT) - GW ExpVPN interface (client)

            -I have an internal interface configured for things without VPN (LAN95), its gateway to the WAN DHCP to ISP

            -The original (LAN) interface is for internal management purposes only, on this I configure pfSense or with Remote OpenVPN (this is important)

            I show PRTSCs:

            919984e9-0793-48e4-8853-3e59d9f3737f-image.png

            cd85514a-4e41-4e21-83a4-10f3af3b14a6-image.png

            f36605f4-f035-4b1b-8359-6d869b675c78-image.png

            44b83eb1-dc49-4b2a-b006-4bdb201bb8c4-image.png

            and the Suricata:

            d1f69008-d48d-4f6d-a066-826fa4978fc0-image.png

            +++edit:
            with this, Suricata examine all traffic which passing through the VPNPT physical interface, regardless of what the upstream GW (ISP or VPN) is

            G 1 Reply Last reply Reply Quote 0
            • G
              gwaitsi @DaddyGo last edited by

              @daddygo thanks, super example - i'm also using Express ;-)

              Only difference is, i route all traffic over the VPN and bypass by exception and i have enabled block bogons on the VPN.

              So, now i just need to tune for a week or so and then switch on blocking.

              last question if i may.

              my cable modem has the option to switch from "routing" to "modem" state.
              In either case, devices connected to the 4 LAN ports work.

              In modem state, they obtain and address from the ISP. 17x.
              In router state, they obtain a 192.x address.

              I tried switch to modem state, but then had no internet from pfsense.
              I will connect a 2nd ISP to the pfsense.

              Is it better to connect both in modem state, or using the routing state?

              DaddyGo 1 Reply Last reply Reply Quote 0
              • DaddyGo
                DaddyGo @gwaitsi last edited by DaddyGo

                @gwaitsi said in Suricata Config Advice for Multi VPN:

                my cable modem has the option to switch from "routing" to "modem" state.

                I strongly recommend the modem mode (alias bridge), then you can avoid the double NAT problem

                see your ISP's description for what to use on your WAN in "bridge" mode
                usually it is DHCP

                however, after switching to bridge mode, unplug your (from eletricity - power cycle) ISP CPE for a 30-minute period, this will help

                +++edit:
                @gwaitsi "by exception and i have enabled block bogons on the VPN."
                this is completely unnecessary and can cause problems as it has already happened on the WAN interface
                the top upstream is the WAN

                you can see that the VPN IP on the pfSense is an internal range (private) - RFC1918 10.x.y.z

                G 2 Replies Last reply Reply Quote 0
                • G
                  gwaitsi @DaddyGo last edited by

                  @daddygo awesome. thanks for the advice. will try switching to bridge again tonight.

                  1 Reply Last reply Reply Quote 0
                  • G
                    gwaitsi @DaddyGo last edited by gwaitsi

                    @daddygo FYI

                    • i created an interface for the LAN and all my VLANs.
                    • I noticed all the alerts appear on both the VLAN and the LAN interfaces,
                      so it looks like it is not necessary to have one for the VLANs.

                    I disabled a couple of the VLANs and i see the alerts for their dst IPs is being caught in the LAN (Lagg interface to he main switch)

                    DaddyGo 1 Reply Last reply Reply Quote 0
                    • DaddyGo
                      DaddyGo @gwaitsi last edited by

                      @gwaitsi said in Suricata Config Advice for Multi VPN:

                      I noticed all the alerts appear on both the VLAN and the LAN interfaces,

                      this of course works like,.... because the parent interface is the LAN 😉

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense Plus
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy