Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense behind adsl router - IDS problem

    Scheduled Pinned Locked Moved IDS/IPS
    9 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      apoleia
      last edited by

      Hello,

      I have a pfsense configured behind an adsl router (which I cannot put in bridge mode).
      I have turned on SNORT on the LAN and on the WAN interface.
      When alerts are triggered, destination IP is 192.168.1.254 (Pfsense wan IP) instead of the LAN client IP.
      Is there a way I can keep this configuration (pfsense behind the router) and have the LAN client IP appear in the IDS Log ?

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        There are separate alerts for WAN and LAN. On WAN, yeah, the destination IP will be WAN. Not really any configuration. When you want to see the real destination, see the corresponding LAN alert which has the destination after NAT happened.

        1 Reply Last reply Reply Quote 0
        • A
          apoleia
          last edited by

          Thanks for your answer. The problem is that I don't see the alerts on the LAN interface.
          For instance,  ET POLICY PE EXE or DLL Windows file download only appears on the wan interface with IP 192.168.1.254.
          Could you tell me what kind of NAT should I configure ?

          Thanks

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Do not mess with NAT. Simply, one sensor sees the traffic destination before NAT, the other after NAT… There's nothing to configure there, what you see is what you see and that's the end of the story. Since you are at least double-NATed according to your WAN IP, that doesn't help either.

            (And that rule would better be disabled before you piss off users.)

            1 Reply Last reply Reply Quote 0
            • A
              apoleia
              last edited by

              So there's no way I can see LAN IP on the LAN IP interface ?

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                Just tested this nonsense. This is from LAN:

                Check that you did not suppress the flowbit rule/whether it's enabled at all on LAN.

                1 Reply Last reply Reply Quote 0
                • A
                  apoleia
                  last edited by

                  Thanks I'll check that tomorrow morning !

                  1 Reply Last reply Reply Quote 0
                  • A
                    apoleia
                    last edited by

                    Hello !

                    Right, this is what I did :
                    I replaced my modem/router with a modem only and configured pfsense with pppoe.
                    I now have a public IP on my wan interface.
                    The problem is that I now see the public IP as the destination in the snort logs :

                    TCP Potential Corporate Privacy Violation 46.43.34.31  80  90.XX.XX.XX  38377 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP

                    What am I doing wrong ?

                    1.png
                    1.png_thumb

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by

                      On WAN? Yes, that's not a problem. That's correct. As said, you need to get this working on LAN to see LAN IPs. Explained above, plus explained here by Snort/Suricate maintainer. Really don't think there's much else to add here.

                      P.S. Getting rid of double-NAT is a good thing regardless of IDS alerts.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.