Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking OpenappID only on VLAN?

    Scheduled Pinned Locked Moved IDS/IPS
    9 Posts 2 Posters 947 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      killmasta93
      last edited by

      Hi
      I was wondering if someone else has had this issue before, Currently i have a VLAN i need to block few websites using openappID. But what i noticed is that once i enable on the VLAN it also affects the LAN. What i did notice there is a part that says

      Choose the Networks Snort Should Inspect and Whitelist
      

      but cant seem to figure how to edit that part im guessing its adding the home net as the LAN instead leaving only the VLAN

      Thank you

      Tutorials:

      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Snort runs on the physical interface (so the VLAN parent). That means it will always see all traffic on the physical interface (and so all VLANs running on that parent). You can't separate them out.

        K 1 Reply Last reply Reply Quote 0
        • K
          killmasta93 @bmeeks
          last edited by

          @bmeeks
          Thanks for the reply, did not know that, is it possible to whitelist the LAN so it wont get blocked?
          Thank you

          Tutorials:

          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @killmasta93
            last edited by

            @killmasta93 said in Blocking OpenappID only on VLAN?:

            @bmeeks
            Thanks for the reply, did not know that, is it possible to whitelist the LAN so it wont get blocked?
            Thank you

            You LAN hosts themselves should not be getting blocked. All locally-attached interfaces on the firewall are automatically added to the default Pass List (or whitelist, to use the more common term outside of the pfSense package). External hosts that a LAN host communicates with can get blocked, though. And with one end of the conversation blocked, that ends all traffic to and from that external host.

            If you are experiencing actual blocks of internal LAN hosts (meaning the internal hosts IP addresses are showing up on the BLOCKS tab), then you have a configuration problem.

            K 1 Reply Last reply Reply Quote 0
            • K
              killmasta93 @bmeeks
              last edited by

              @bmeeks Thanks for the reply, the internal host do not appear on the alert tab it appears only the external IP such as facebook but it affects the LAN, which should only be applied on the VLAN

              currently its off right now because users where complaining

              7fa9406a-abc8-40d0-874c-2720380a009d-image.png

              Tutorials:

              https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by bmeeks

                The OpenAppID part of Snort is best used with Inline IPS Mode. But you need NICs that are supported by netmap via the new iflib wrapper in FreeBSD 12. If you have such a NIC, then I would advise you to switch over to Inline IPS Mode and use the SID MGMT tab features to selectively set some rules to DROP and leave others at ALERT.

                Legacy Mode blocking is really too big of a "hammer" to use for policing workplace policy things like social media usage. Legacy Mode blocks IP addresses completely, and that can break a lot of stuff. Inline IPS Mode selectively drops only individual packets. It does not permanently block anything. So Inline IPS Mode would drop all packets that are related to WhatsApp, but not block other traffic even if it was to the same external host IP.

                Your problem is further complicated by using VLANs. Snort is not able to differentiate the various IP subnets on the VLANs because it runs at the physical (parent) interface level and sees all traffic on the wire.

                Why are you using OpenAppID anyway? Do you want to actively block social media stuff, or do you just want to know if it is traversing your network?

                If you don't care about social media traffic on your network, just turn off OpenAppID because you don't need it if you don't want to block such traffic. If you just want to monitor for such traffic, but not block it, then you must either turn off blocking completely, or use Inline IPS Mode with a compatible NIC and use SID MGMT conf files to set the action for rules you wish to actually block stuff from ALERT to DROP. You would leave the OpenAppID rules set for ALERT, so they just log alerts but don't block traffic.

                If you do want to block the traffic, then you will find Inline IPS Mode is better suited for OpenAppID. That's because Inline IPS Mode can filter individual packets without need to block every single thing to the external host IP.

                K 1 Reply Last reply Reply Quote 0
                • K
                  killmasta93 @bmeeks
                  last edited by

                  @bmeeks
                  Thanks for the reply, currently i need to block social network on the VLAN which only connect mobile devices, as on my LAN i run WPAD squidguard and squid so i have no issue but because not all mobiles dont have the auto detect feature which is why i thought snort could apply to this
                  How could i check if the NIC has iflib? Its currently on a dell r720 virtualized on proxmox

                  Tutorials:

                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @killmasta93
                    last edited by

                    @killmasta93 said in Blocking OpenappID only on VLAN?:

                    @bmeeks
                    Thanks for the reply, currently i need to block social network on the VLAN which only connect mobile devices, as on my LAN i run WPAD squidguard and squid so i have no issue but because not all mobiles dont have the auto detect feature which is why i thought snort could apply to this
                    How could i check if the NIC has iflib? Its currently on a dell r720 virtualized on proxmox

                    If your NIC driver is one of the following, then it will support Inline IPS Mode:

                    'cc', 'cxl', 'cxgbe', 'em', 'igb', 'em', 'lem', 'ix', 'ixgbe', 'ixl', 're', 'vtnet', 'ena', 'ice', 'bnxt', 'vmx'
                    
                    K 1 Reply Last reply Reply Quote 0
                    • K
                      killmasta93 @bmeeks
                      last edited by

                      @bmeeks
                      Thanks for the reply, i believe i have vtnet
                      but in theory its pointless to try it out because the VLAN i need to block social network would also block on my LAN

                      Tutorials:

                      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.