Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    suricata on wan interface question

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    4
    423
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jc1976
      last edited by jc1976

      Hey all,

      Up until recently i've had suricata scanning the LAN interface because i never had any services that required me to open and WAN ports (so why bother generating all the useless noise?).

      I've got plex server installed on my nas and set up the plex client on the tvs/rokus of my gf, brother, parents, family's homes so they can watch from within their homes.

      i enabled the UPNP service in pfsense and all works perfectly.
      i download ONLY.. get the media via nzbget, render it, and send it to my nas all from within my humble network at home.

      here's my question:
      since i'm not uploading anything to my nas remotely, and the media stream is outbound ONLY, should i have suricata scanning the WAN interface as well? seems to me that since the data stream is outbound only i wouldn't have to.. but i'm not sure so that's why i ask you experts!

      Thanks!!

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @jc1976
        last edited by

        @jc1976 Scanning on LAN will also scan outbound traffic. Best practice is to run it on LAN. (and other internal interfaces, if you have more, except VLANs because the Suricata parent interface will see all VLAN traffic).

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        J 1 Reply Last reply Reply Quote 0
        • J
          jc1976 @SteveITS
          last edited by jc1976

          @steveits ok thanks!!

          in what situation would i enable suricata on the WAN interface? i guess if i was running a server where i (or anyone) could upload files to.. right?

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @jc1976
            last edited by

            @jc1976 There was a thread in recent weeks. IIRC one scenario was when the router had lots of internal interfaces, so running once on WAN was better than running 10-20 instances.

            It runs outside the firewall so on WAN it will end up scanning packets that will be dropped by the firewall. Also it cannot identify the LAN IP since it can only see the NATted WAN IP.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post