Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense for Suricata only

    Scheduled Pinned Locked Moved IDS/IPS
    7 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hsid
      last edited by

      Hi Everyone, I'm new to both Suricata and pfSense and am looking to setup Suricata for IDS only. I have an existing Cisco ASA firewall so I do not need pfSense for any routing or firewall functions. Because Suricata does not come with a front-end GUI by default I wanted to use pfSense for management of Suricata only.

      My question is regarding the LAN setup of pfSense. I have given pfSense an ip on an existing VLAN in my network and also inputted the default gateway for the VLAN which is managed by the ASA. I am able to connect to the management interface however I noticed that it appears pfSense created a gateway which was not my intention. For example if the gateway for the VLAN on the asa is 10.1.200.1 , when I entered this gateway onto the pfSense, it appears to have also created a gateway with the exact IP. The only reason I wanted a gateway assigned to this interface is so I can access the GUI.

      If i turn the gateway feature off then I can no longer access the GUI but my fear is leaving it on means that both pfSense and the ASA are broadcasting the 10.1.200.1 gateway. Wondering if anyone has any insight on this setup.

      Thanks,
      Hardy

      NollipfSenseN 1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @hsid
        last edited by

        @hsid Actually, you don't need pfSense to run Suricata as Windows, MacOS, Linux, etc, all do ... https://suricata-ids.org/features/all-features/
        You could make pfSense your primary firewall and make that Cisco secondary since it doesn't fulfill all your needs.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        H 1 Reply Last reply Reply Quote 1
        • H
          hsid @NollipfSense
          last edited by

          @nollipfsense Thanks so much for your response. I actually did have the Linux version setup on Ubuntu and it was actually quite easy to setup however I was looking for something just a bit more user friendly. Tuning the rules will take awhile however my main focus is to ensure the logs get output to the right place and I can setup email alerts for suspected threats. I am looking for this system to function as an IDS only.

          If there are any guides or docs that you can recommend that would help me pull some of this data and put it into a logging server that would be great. Also do you have any experience using the Windows version?

          Cheers,
          Hardy

          NollipfSenseN D 2 Replies Last reply Reply Quote 1
          • NollipfSenseN
            NollipfSense @hsid
            last edited by

            @hsid I am a Mac person so that tells you about me and Windows. I was like you in that I had a firewall set up already (Mikrotik) before discovering pfSense. I quickly gravitated to pfSense because of IDS/IPS and the ease in its implementation. Then discovered pfBlockerNG.

            So, what I did was to implement both systems with pfSense my edge router and Mikrotik my LAN king. I use pfSense for IDS/IPS as well as DNS while the Mikrotik does DHCP. My system is the modem > pfSense > Mikrotik > switch > clients ... even double natted, no problem. Also, I even run both IDS/IPS with Suricata on WAN as well as Snort on LAN no problem but with different rules set for each. This is not recommended by the package maintainer or the developers as a disclaimer. It works for me very well though.

            I think putting you pfSense box to the edge would complement your network nicely and give you the features you want. Just a little warning, it takes a little while to understand the IDS/IPS rules in order to mitigate the false positive. It's not a setup and leave ... it's a constant tuning.

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            1 Reply Last reply Reply Quote 0
            • H
              hsid
              last edited by

              That may not be a bad idea either, putting it on the edge and acting as a IDS only. I'll think about that one but in the meantime I think i'll move forward with standalone Suricata IDS for linux.

              Thanks again!

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @hsid
                last edited by

                @hsid said in pfSense for Suricata only:

                with standalone Suricata IDS

                Read this : https://forum.netgate.com/topic/163732/anti-virus-anti-malware-without-proxy/3?_=1620969717433

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • D
                  dl_lars @hsid
                  last edited by

                  @hsid

                  Can you share your setup for the Modem - Pfense - Switch - Clients.

                  In my setup, i have the pfsense currently just for testing pfblockerng and Suricata.

                  Mikrotik has the DNS and DHCP, this can stay has is. Without double nat.

                  Switch has the vlans setup has a router on a stick to the Mikrotik.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.