How to add a separate box for a Snort Firewall to a network?



  • I'm having trouble figuring out how to implement the particular scheme I want:

    • Main pfSense router without Snort installed.
    • (Almost) all traffic goes through Snort transparent proxy firewall unless it takes too long to respond, in which case the pfSense box stops using the proxy until it responds in a timely fashion again.

    This would be a really long timeout, meaning the proxy box is probably down or at least extremely overloaded. The reason I want a separate box is because I've found Snort especially tends to be rather problematic on pfSense boxes, possibly taking them down, even if they are well over-spec'd.

    I'm guessing one way to do this would be to have the boxes hooked up via a crossover cable such that all requests still go to the pfSense box, but then the pfSense box itself forwards requests first through the Snort Firewall, which then goes back to the pfSense box on the same port if not blocked. Since pfSense supports Snort, I could have the other box also run pfSense and use something like CARP and pfSense's own built-in redundancy.


  • Banned

    I dont have any issues running Snort at all here…. running on 46 individual pfsense VM's



  • @Thrae:

    I'm having trouble figuring out how to implement the particular scheme I want:

    • Main pfSense router without Snort installed.
    • (Almost) all traffic goes through Snort transparent proxy firewall unless it takes too long to respond, in which case the pfSense box stops using the proxy until it responds in a timely fashion again.

    This would be a really long timeout, meaning the proxy box is probably down or at least extremely overloaded. The reason I want a separate box is because I've found Snort especially tends to be rather problematic on pfSense boxes, possibly taking them down, even if they are well over-spec'd.

    I'm guessing one way to do this would be to have the boxes hooked up via a crossover cable such that all requests still go to the pfSense box, but then the pfSense box itself forwards requests first through the Snort Firewall, which then goes back to the pfSense box on the same port if not blocked. Since pfSense supports Snort, I could have the other box also run pfSense and use something like CARP and pfSense's own built-in redundancy.

    What you found out was not snort, nor pfsense, or anything related to them. Snort has no problem running on pfsense. If the box is well over-spec'd and taken down that means you have a lot of bigger fish to fry than snort not running. I've run snort on old hardware that should have been sent for recycling a long long time ago, analyzing traffic most users in here will never see (datacenter volume traffic), and never had an issue with snort taking down the box.

    I would not recommend adding another unnecessary box to the network.

    Credentials: Author of the snort and suricata blueprints.


Log in to reply