Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HOW TO: pfSense as a transparent IPS

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SleepIT
      last edited by

      This has taken me quite some time to get working and I have not found a guide for doing this, especially for the 2.x release.  The usage for this is adding an IPS to an existing network without requiring reconfiguration of any devices, in this case the router is managed by the ISP so it was decided to put the IPS on the LAN side.

      How to configure pfSense as a transparent Snort IPS

      Starting point is a working PFSense box with WAN address (..*.23) in eventual LAN IP Range and LAN address still at 192.168.1.1

      System:Packages

      Install Snort

      System:Advanced:System Tunables

      debug.pfftpproxy to 1
      net.link.bridge.pfil_bridge to 1

      System:General Setup

      Specify DNS Servers

      Uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN

      Check Do not use the DNS Forwarder as a DNS server for the firewall

      Interfaces:Bridge

      Click plus and create a bridge.  Include LAN and WAN in the bridge and Save.

      Interfaces:Interface assignments

      Click plus to create an OPT1 interface and for Network Port select BRIDGE0

      Interfaces:OPT1

      Assign an IP address (within the desired LAN subnet) to the bridge (I used ..*.24).  Leave gateway at None.

      Uncheck "Block private networks" and "Block bogon networks"

      Use THIS IP to access the Web Configurator.  Should work from WAN or LAN side of router once the rules are in place.

      Firewall:NAT:Outbound

      Add a rule.  Interface OPT1, Protocol any, Source any, Destination any

      Firewall:Rules - WAN Tab

      Add a rule.  Interface WAN, Protocol any, Source any, Destination any

      Interfaces:LAN

      Change IP to be on desired LAN subnet (..*.22 in my case)

      Test things

      You should have internet access from the LAN side and all traffic from WAN should pass through.

      Services:Snort

      Setup Snort as usual - Listen on WAN (not OPT1).

      This works, I've done portscans and other things form the WAN side which Snort detected and blocked as desired.

      If Snort craps out, traffic continues to pass through the bridge.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.