Source IP is WAN - need to know LAN IP?

  • Snort is blocking an outbound Fiesta Kit from my network.  In the logs/General, it's only showing the WAN IP address.  How do I find the offending LAN IP address so I can go clean that machine?


  • Short answer is you can't.  The longer answer is maybe you could if you did a bunch of packet captures on the LAN and WAN and tried to decode the NAT ports.

    Do a quick search here in this sub-forum for "Snort on LAN or WAN" and you should get some hits.  I recommend users put Snort on their LAN interface when they operate in a NAT environment (as nearly all of the pfSense users here do).  That way Snort sees traffic before the NAT rules have been applied, so your LAN clients' true IP addresses will appear in the alerts.  When you run Snort on the WAN only, then Snort sees traffic after NAT rules have been applied for outbound traffic and before NAT rules are applied for inbound traffic.  So in both instances Snort sees only your WAN IP as the "local address".

    UPDATE:  I should have stated in my earlier post that you can quickly swap Snort from WAN to LAN by simply going to the INTERFACE SETTINGS tab and changing the interface drop-down selection from WAN to LAN and save the change.  Don't forget to also change the description field.  That field is purely for labeling, but it might get confusing later if the description said "WAN" but the actual interface selected is the LAN.


  • Banned

    …just to add that you simply press the "Download" button on the alert page and get a packed container with captures you can open in wireshark to see what was going on... ;-)

  • Thanks for the help!

  • LAYER 8 Netgate

    If you know the characteristics of the traffic you might be able to get it out of Diagnostics > States

Log in to reply