Force snort to use specific WAN interface to update signatures

pst

@digitalmg Hi, yes I agree my suggestion doesn't work in this case. I no longer run a two WANs setup so I can't give you the exact configuration I used, but having thought a bit about possible solutions I might have used static routes. In System / Routing / Static Routes you can specify your sites alias for Destination Network and then the Gateway of choice. All traffic to those sites will of course go through that gateway, not just Snort updates, but for me that was an acceptable compromise.

stephenw10

Yes you can't policy route traffic from the firewall itself like that. It never passes the LAN side firewall rule.

It always uses the system routing table so usually that would be the default route. You can add static routes via one of the gateways for a particular destination.

Otherwise you would need Snort to bind to one of the WAN addresses but I don't think you can do that.

Steve

digitalmg

@stephenw10
Hello
Same problem goes for Squid module.
Any interface I choose for outgoing interface is actually ignored by Squid.
What about this ?

digitalmg

@pst
Hi
Your solution solved my snort update problem.
It works fine by now.
Thanks alot.

Do you have any idea about Squid module on pfsense ?
Why it does not follow outgoing interface settings ?

stephenw10

@digitalmg said in Force snort to use specific WAN interface to update signatures:

Any interface I choose for outgoing interface is actually ignored by Squid.

That should work. Do you see it added to the conf file in /usr/local/etc/squid/squid.conf ?

digitalmg

@stephenw10
Yeah it does
tcp_outgoing_address 172.16.10.46
it is my desired WAN IP address, but traffic is routed to another WAN interface IP which is the same as pfSense outbound NAT rule with source of This Firewall(Self)
Any idea ?!

stephenw10

You should not have an outbound NAT rule for traffic from the firewall itself.

Are you using OBN in manual mode? The auto mode rules don't do that.

digitalmg

@stephenw10
I use AON - Advanced Outbound NAT.
I have to set NAT for This Firewall to be able to monitor my main WAN Interface.
As my Public IP address are defined as IP Alias and my WAN interface is assigned a static invalid IP address, pfSense cannot check the connection status by defined Monitoring IP which is 4.2.2.4

stephenw10

Then you should set something much more limited that catches only that traffic. Or at least only traffic from that private IP on that interface.

Anything that get's caught by that rule will be sent out of that WAN and 'this firewall' includes any other WAN IPs.

digitalmg

@stephenw10
Thanks alot
It is working properly now !
You saved me