Text only | Text with Images

OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: ejvl on February 11, 2022, 02:24:24 PM

Title: IDS, what interface to choose
Post by: ejvl on February 11, 2022, 02:24:24 PM
Hi,
I've the following situation.

- A router from my provider, LAN is 192.168.1.1
- From this router, one cable is connected to my switch. I've configured this switchport untagged in VLAN 100.
- From the switch, another cable is connected to my Nuc with OpnSense installed. This switchport is untagged 1 and tagged 100.
- In OpnSense I've created a vlan 100 interface and set my WAN to this interface.
- My WAN in OpnSense is a 192.168.1.x address, my LAN is 10.0.0.254.
- My OpnSense WAN 192.168.1.x is configured as DMZ in the router of the provider so all the incoming traffic and ports are directly send to OpnSense.
- My home network is in 10.0.0.x with the 10.0.0.254 (Opnsense) as default gateway.

Now I want enable IDS and later IPS. Rules are activated but in this specific situation, with interface I should choose? WAN or LAN?

Thanks.

(https://www.ejvl.nl/image/network.jpg)
Title: Re: IDS, what interface to choose
Post by: Melroy vd Berg on January 20, 2025, 05:38:11 PM
It's a old question and still unanswered. But I had the same question.

After reading the docs (https://docs.opnsense.org/manual/ips.html).

 
QuoteOne of the most commonly asked questions is which interface to choose. Considering the continued use IPv4, usually combined with Network Address Translation, it is quite important to use the correct interface. If you are capturing traffic on a WAN interface you will see only traffic after address translation. This means all the traffic is originating from your firewall and not from the actual machine behind it that is likely triggering the alert.

Rules for an IDS/IPS system usually need to have a clear understanding about the internal network; this information is lost when capturing packets behind NAT.

[...]

Since the firewall is dropping inbound packets by default it usually does not improve security to use the WAN interface when in IPS mode because it would drop the packet that would have also been dropped by the firewall.


Meaning, I believe you want to enable IDS and IPS on your physical LAN interface (avoid setting it to a bridge interface, and also avoid setting it to a VLAN interface).


Some people enable it on the physical WAN interface. However for that check the "advanced mode" option at the top. And enter your WAN IP in your "home networks" box. Do NOT enable both WAN & LAN, since that will most likely cause IDS/IPS to scan the traffic twice.

See also this blog post: https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/

If I'm wrong, please correct me.
Title: Re: IDS, what interface to choose
Post by: someone on February 05, 2025, 04:48:50 PM
Sounds like filter the WAN
You want to filter all incoming traffic through opnsense destined to your home network
Dont forget to add your WAN IP in the advanced options of Intrusion Detection Admin for rulesets to work
I cant say much for ISP routers without a rant
Text only | Text with Images