HOW TO: pfSense as a transparent IPS
This has taken me quite some time to get working and I have not found a guide for doing this, especially for the 2.x release. The usage for this is adding an IPS to an existing network without requiring reconfiguration of any devices, in this case the router is managed by the ISP so it was decided to put the IPS on the LAN side.
How to configure pfSense as a transparent Snort IPS
Starting point is a working PFSense box with WAN address (..*.23) in eventual LAN IP Range and LAN address still at 192.168.1.1
debug.pfftpproxy to 1
net.link.bridge.pfil_bridge to 1
Specify DNS Servers
Uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN
Check Do not use the DNS Forwarder as a DNS server for the firewall
Click plus and create a bridge. Include LAN and WAN in the bridge and Save.
Click plus to create an OPT1 interface and for Network Port select BRIDGE0
Assign an IP address (within the desired LAN subnet) to the bridge (I used ..*.24). Leave gateway at None.
Uncheck "Block private networks" and "Block bogon networks"
Use THIS IP to access the Web Configurator. Should work from WAN or LAN side of router once the rules are in place.
Add a rule. Interface OPT1, Protocol any, Source any, Destination any
Firewall:Rules - WAN Tab
Add a rule. Interface WAN, Protocol any, Source any, Destination any
Change IP to be on desired LAN subnet (..*.22 in my case)
You should have internet access from the LAN side and all traffic from WAN should pass through.
Setup Snort as usual - Listen on WAN (not OPT1).
This works, I've done portscans and other things form the WAN side which Snort detected and blocked as desired.
If Snort craps out, traffic continues to pass through the bridge.