NAT vs open port on WAN for VPN on pfsense
-
This post is deleted! -
I realized I was misusing terminology, so I rewrote the post to be clearer. If a mod wants to delete my original post I can just repost the topic.
Thanks
Let's suppose I have a VPN service running on the Pfsense box itself. As far as IDS/IPS analysis goes, is there a fundamental difference between opening a WAN port for the service and forward the port to the router IP?
I have Snort running on both WAN and LAN, and get a lot of alerts for things that are blocked and ports scans etc. I was thinking I wanted to limit to just running Snort on LAN, but I worry that I will miss an opportunity to catch potentially malicious inbound traffic that is directed at the open ports. For services that run on my virtualization servers that get port forwarded connections, I get Snort alerts on the LAN side and was wondering whether this would occur if I forward the ports for services running on Pfsense or will the router treat port forwarding to itself identically to just opening a WAN port?
Thanks in advance.
-
@efny general advice is to run Snort on LAN. On WAN it runs outside the firewall so will scan all inbound packets even if they will be dropped.
pfSense can NAT to its LAN IP. On WAN one would just allow the connection.
If you’re asking whether a NAT rule to itself it subject to Snort I suspect not since Snort runs outside the firewall.
What are you exposing on pfSense, the VPN? Can it be limited by source IP or dyndns hostname?
-
@steveits
Thanks for the reply.Let me try to clarify.
Let's suppose I want to expose port 11111 for a service that runs on the firewall that has a LAN IP of 192.168.1.1
Does scenario A vs B differ as far as analysis by IDS
A) WAN 11111 (open)
B) WAN 11111 port forward to LAN 192.168.1.1:11111I have some GeoIP considerations as well in terms of deliberately only opening the port to certain IP ranges using pfBlockerNG GeoIP
Thanks.
-
@efny Either way works. Listening on WAN is a bit less complicated. Either type of rule can have a source alias.