Pfsense behind adsl router - IDS problem

  • Hello,

    I have a pfsense configured behind an adsl router (which I cannot put in bridge mode).
    I have turned on SNORT on the LAN and on the WAN interface.
    When alerts are triggered, destination IP is (Pfsense wan IP) instead of the LAN client IP.
    Is there a way I can keep this configuration (pfsense behind the router) and have the LAN client IP appear in the IDS Log ?

    Thanks in advance

  • Banned

    There are separate alerts for WAN and LAN. On WAN, yeah, the destination IP will be WAN. Not really any configuration. When you want to see the real destination, see the corresponding LAN alert which has the destination after NAT happened.

  • Thanks for your answer. The problem is that I don't see the alerts on the LAN interface.
    For instance,  ET POLICY PE EXE or DLL Windows file download only appears on the wan interface with IP
    Could you tell me what kind of NAT should I configure ?


  • Banned

    Do not mess with NAT. Simply, one sensor sees the traffic destination before NAT, the other after NAT… There's nothing to configure there, what you see is what you see and that's the end of the story. Since you are at least double-NATed according to your WAN IP, that doesn't help either.

    (And that rule would better be disabled before you piss off users.)

  • So there's no way I can see LAN IP on the LAN IP interface ?

  • Banned

    Just tested this nonsense. This is from LAN:

    Check that you did not suppress the flowbit rule/whether it's enabled at all on LAN.

  • Thanks I'll check that tomorrow morning !

  • Hello !

    Right, this is what I did :
    I replaced my modem/router with a modem only and configured pfsense with pppoe.
    I now have a public IP on my wan interface.
    The problem is that I now see the public IP as the destination in the snort logs :

    TCP Potential Corporate Privacy Violation  80  90.XX.XX.XX  38377 1:2018959 ET POLICY PE EXE or DLL Windows file download HTTP

    What am I doing wrong ?

  • Banned

    On WAN? Yes, that's not a problem. That's correct. As said, you need to get this working on LAN to see LAN IPs. Explained above, plus explained here by Snort/Suricate maintainer. Really don't think there's much else to add here.

    P.S. Getting rid of double-NAT is a good thing regardless of IDS alerts.

Log in to reply