Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort dual-WAN Hack

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gtm
      last edited by

      For those of you beating your heads against the "No snort on dual-wan setups" issue, here's what I've cobbled together to meet my needs - get pfSense to run an instance of Snort per interface.  Hope you find it useful.

      The current pfSense Snort configuration 'appears' to support a dual-wan setup; you're able to select multiple interfaces, no errors or warnings, but alas when you start the service, no luv.  A little digging shows that the selection of multiple interfaces results in a Snort start command that looks something like this:

      'snort -i xl1 -i xl2'

      where the -i arg signifies an interface and 'xl1' and 'xl2' are interface names.  Unfortunately, Snort doesn't like that / doesn't accept multiple interfaces per instance.  What does this mean?  In a crude fashion it means you have to run two instances of snort if you have two WAN interfaces; one instance per interface.  Something like:

      'snort -i xl1'  and 'snort -i xl2'

      Just a bit more background and I'll get to the good stuff. pfSense uses a script called /usr/local/pkg/snort.inc to automatically generate a Snort startup script (/usr/local/etc/rc.d/snort.sh).  In order to get pfSense to start an instance of Snort per WAN interface, modify snort.inc as follows:

        1. On approx line 80, define a empty array called $snortInterfaces
        1. On approx line 90, push each interface into $snortInterfaces
        1. On approx line 120, foreach entry in the $snortInterfaces array,
            generate a start command for a unique instance of snort.
        1. Additionally, add a sleep/delay before starting each instance to give the
          prior instance a chance to start  … seems to help.

      • This setup does NOT always work. In particular snort often fails to start on a  reboot.  I usually chk to see if things are ok by looking at the memory usage.

      • Seems to take about 240 MB of memory per instance with 75% of the ruleset enabled.

      • I've attached my snort.inc file in case anyone wonders what the hell I'm talking about.  You can search for the tag '-gtm' to see my changes.

      snort.txt

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        Excellent work!  I've commited your changes.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.