HOW TO: pfSense as a transparent IPS

  • This has taken me quite some time to get working and I have not found a guide for doing this, especially for the 2.x release.  The usage for this is adding an IPS to an existing network without requiring reconfiguration of any devices, in this case the router is managed by the ISP so it was decided to put the IPS on the LAN side.

    How to configure pfSense as a transparent Snort IPS

    Starting point is a working PFSense box with WAN address (..*.23) in eventual LAN IP Range and LAN address still at


    Install Snort

    System:Advanced:System Tunables

    debug.pfftpproxy to 1 to 1

    System:General Setup

    Specify DNS Servers

    Uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN

    Check Do not use the DNS Forwarder as a DNS server for the firewall


    Click plus and create a bridge.  Include LAN and WAN in the bridge and Save.

    Interfaces:Interface assignments

    Click plus to create an OPT1 interface and for Network Port select BRIDGE0


    Assign an IP address (within the desired LAN subnet) to the bridge (I used ..*.24).  Leave gateway at None.

    Uncheck "Block private networks" and "Block bogon networks"

    Use THIS IP to access the Web Configurator.  Should work from WAN or LAN side of router once the rules are in place.


    Add a rule.  Interface OPT1, Protocol any, Source any, Destination any

    Firewall:Rules - WAN Tab

    Add a rule.  Interface WAN, Protocol any, Source any, Destination any


    Change IP to be on desired LAN subnet (..*.22 in my case)

    Test things

    You should have internet access from the LAN side and all traffic from WAN should pass through.


    Setup Snort as usual - Listen on WAN (not OPT1).

    This works, I've done portscans and other things form the WAN side which Snort detected and blocked as desired.

    If Snort craps out, traffic continues to pass through the bridge.

Log in to reply