Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No Snort Alerts after moving behind ISP Router

    Scheduled Pinned Locked Moved
    IDS/IPS
    3
    3
    114
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DaHai8
      last edited by

      My ISP recently forced their crappy Router/Fibermodem combo on me and I had to move my pfSense CE (Current) behind it. Now I don't get any Snort alerts.
      Is this normal?

      The WAN interface changed from PPPoE to DHCP, and I unchecked "Block Private Networks" and "Block bogon networks" as the IP subnet their Router is providing is 192.168.10.0/24

      I tried restarting Snort on that interface, but no joy.
      Everything else seems to be working OK.

      Suggestions?

      Thanks!

      S bmeeksB 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @DaHai8
        last edited by

        @DaHai8 Snort runs outside the firewall. So it will find packets blocked by the pfSense firewall.

        Is the ISP router forwarding ports?

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @DaHai8
          last edited by bmeeks

          @DaHai8 said in No Snort Alerts after moving behind ISP Router:

          My ISP recently forced their crappy Router/Fibermodem combo on me and I had to move my pfSense CE (Current) behind it. Now I don't get any Snort alerts.
          Is this normal?

          You were seeing Snort alert on normal "Internet noise". That refers to the constant barrage of traffic from various nefarious sources that your pfSense firewall rules were going to block.

          As stated by @SteveITS, Snort sees traffic on pfSense before the firewall rules are applied. That means when run on the WAN it would have been alerting on that noise, but your pfSense WAN interface firewall rules would block that traffic anyway. So, in effect, you had Snort chewing up CPU resources and RAM for very little or no gain as the firewall is going to block nearly all of that traffic anyway. Much better to run Snort on the firewall's internal interfaces such as the LAN and/or DMZ.

          Now as to your question, "yes" Snort is still working, But the NAT feature of your ISP's router is probably hiding that traffic now as the router will have its own built-in stateful firewall.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post