Force snort to use specific WAN interface to update signatures
-
Hello
I need to force Snort to download signature updates trough specific WAN Interface and IP address while other packages and PFSense general settings not being affected.
Is there any way to do this ? -
@digitalmg I had the same problem and found a solution somewhere in the forum that looked something like this
- create an alias FORCE_TO_WAN containing the domains that you want to force to use the WAN interface
- create a firewall rule on the LAN interface with Destination = alias FORCE_TO_WAN, and Gateway = WAN
That's all that's required I think.
-
@pst
Hello
I have added websites below before:
snort.org
rules.emergingthreats.net
files.netgate.com
snort-org-site.s3.amazonaws.com
But it is applicable for LAN interface and pfSense is not using LAN interface rules for updating snort firewall.
This is not working for me and I'm wondering if it works for you! -
@digitalmg It cant and there is no way I am aware off.
-
@digitalmg Hi, yes I agree my suggestion doesn't work in this case. I no longer run a two WANs setup so I can't give you the exact configuration I used, but having thought a bit about possible solutions I might have used static routes. In System / Routing / Static Routes you can specify your sites alias for Destination Network and then the Gateway of choice. All traffic to those sites will of course go through that gateway, not just Snort updates, but for me that was an acceptable compromise.
-
Yes you can't policy route traffic from the firewall itself like that. It never passes the LAN side firewall rule.
It always uses the system routing table so usually that would be the default route. You can add static routes via one of the gateways for a particular destination.
Otherwise you would need Snort to bind to one of the WAN addresses but I don't think you can do that.
Steve
-
@stephenw10
Hello
Same problem goes for Squid module.
Any interface I choose for outgoing interface is actually ignored by Squid.
What about this ? -
@pst
Hi
Your solution solved my snort update problem.
It works fine by now.
Thanks alot.Do you have any idea about Squid module on pfsense ?
Why it does not follow outgoing interface settings ? -
@digitalmg said in Force snort to use specific WAN interface to update signatures:
Any interface I choose for outgoing interface is actually ignored by Squid.
That should work. Do you see it added to the conf file in /usr/local/etc/squid/squid.conf ?
-
@stephenw10
Yeah it does
tcp_outgoing_address 172.16.10.46
it is my desired WAN IP address, but traffic is routed to another WAN interface IP which is the same as pfSense outbound NAT rule with source of This Firewall(Self)
Any idea ?! -
You should not have an outbound NAT rule for traffic from the firewall itself.
Are you using OBN in manual mode? The auto mode rules don't do that.
-
@stephenw10
I use AON - Advanced Outbound NAT.
I have to set NAT for This Firewall to be able to monitor my main WAN Interface.
As my Public IP address are defined as IP Alias and my WAN interface is assigned a static invalid IP address, pfSense cannot check the connection status by defined Monitoring IP which is 4.2.2.4 -
Then you should set something much more limited that catches only that traffic. Or at least only traffic from that private IP on that interface.
Anything that get's caught by that rule will be sent out of that WAN and 'this firewall' includes any other WAN IPs.
-
@stephenw10
Thanks alot
It is working properly now !
You saved me
