OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: johjoh on August 22, 2018, 05:30:00 pm
-
Hello, I'm trying to make working Suricata with OPNsense in Transparent Bridged mode.
According to this page:
https://docs.opnsense.org/manual/how-tos/transparent_bridge.html (https://docs.opnsense.org/manual/how-tos/transparent_bridge.html)
I must setup (Suricata) Interface on WAN or BRIDGE or LAN?
What about (Suricata) Home Networks: blank (any) or the broadcast address of the transparent network?
I need to know how it's configured to work, for example: if I set only WAN as interfaces
A packet arrives from WAN, pass through Suricata and then it goes to BRIDGE?
PACKET --> WAN --> SURICATA --> BRIDGE --> LAN
or
PACKET --> SURICATA --> WAN --> BRIDGE --> LAN
Can I suggest to insert this settings of Suricata on OPNsense Web Configuration Page?
https://github.com/StamusNetworks/SELKS/wiki/Initial-Setup---Suricata-IPS (https://github.com/StamusNetworks/SELKS/wiki/Initial-Setup---Suricata-IPS)
interface: WAN
threads: 4 # or a number that is below half the number of cores available
defrag: yes
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: LAN
tpacket-v3: no
ring-size: 2048
use-mmap: yes
interface: LAN
threads: 4 # or a number that is below half the number of cores available
defrag: yes
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: WAN
tpacket-v3: no
ring-size: 2048
use-mmap: yes
With the availability of this settings, I can make a transparent firewall with 3 interfaces:
em0 Management of OPNsense with IP
em1 WAN without IP
em2 LAN without IP
in this mode I don't need to create a bridge and all traffic is copied from "copy-iface:" option in Suricata (transparent).
The rule can be written on WAN or LAN indifferently.
Thank you for any precious help