HOW TO: pfSense as a transparent IPS
-
This has taken me quite some time to get working and I have not found a guide for doing this, especially for the 2.x release. The usage for this is adding an IPS to an existing network without requiring reconfiguration of any devices, in this case the router is managed by the ISP so it was decided to put the IPS on the LAN side.
How to configure pfSense as a transparent Snort IPS
Starting point is a working PFSense box with WAN address (..*.23) in eventual LAN IP Range and LAN address still at 192.168.1.1
System:Packages
Install Snort
System:Advanced:System Tunables
debug.pfftpproxy to 1
net.link.bridge.pfil_bridge to 1System:General Setup
Specify DNS Servers
Uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN
Check Do not use the DNS Forwarder as a DNS server for the firewall
Interfaces:Bridge
Click plus and create a bridge. Include LAN and WAN in the bridge and Save.
Interfaces:Interface assignments
Click plus to create an OPT1 interface and for Network Port select BRIDGE0
Interfaces:OPT1
Assign an IP address (within the desired LAN subnet) to the bridge (I used ..*.24). Leave gateway at None.
Uncheck "Block private networks" and "Block bogon networks"
Use THIS IP to access the Web Configurator. Should work from WAN or LAN side of router once the rules are in place.
Firewall:NAT:Outbound
Add a rule. Interface OPT1, Protocol any, Source any, Destination any
Firewall:Rules - WAN Tab
Add a rule. Interface WAN, Protocol any, Source any, Destination any
Interfaces:LAN
Change IP to be on desired LAN subnet (..*.22 in my case)
Test things
You should have internet access from the LAN side and all traffic from WAN should pass through.
Services:Snort
Setup Snort as usual - Listen on WAN (not OPT1).
This works, I've done portscans and other things form the WAN side which Snort detected and blocked as desired.
If Snort craps out, traffic continues to pass through the bridge.