Messages

Is there a way to configure crowdsec to only be active on the wan google doodle baseball?  I have Zenarmor protecting the LAN and am mainly protecting a few ports open for gaming. I have been having problems getting to websites randomly with crowdsec enabled and figured I should just turn off the LAN side as Zenarmor handles that

The primary way to control the traffic that CrowdSec processes is through the acquisition file, typically located in `/etc/crowdsec/acquis.d/` (or similar, depending on your operating system and installation method). You will need to specify which interfaces or IP ranges CrowdSec should listen on or exclude. You can use the method of specifying the WAN Interface in Acquisition.

Hi,
I'm trying to understand how to setup Suricata with Unbound DNS on Opnsense.

Right now i'm using Unbound at 192.168.1.48:53 and serve the LAN.

I don't have hardware offloading, nor i'm forwarding DNS level devil. I also don't have DNS setup on General tab.



I'm also not using

Allow DNS server list to be overridden by DHCP/PPP on WAN.


I'm testing facebook DNS rule with nslookup, but it never trigger an alert.

|| || |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: reply from <facebook.com.>
|| |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: response for facebook.com. A IN||
|2025-03-01T21:14:34|Informational|unbound|[39188:3] info: resolving facebook.com. A IN|
|| || |51000003|alert|opnsense.social_media.rules|social-media|OPN_Social_Media - Facebook - DNS request for facebook.com||

As far as i understand , after a little bit of research i think it might be related to rules behavior.
Localnet is on 192.168.0.0/16 but rules expect an external request for !LOCALNET , which is definitely never true.
As DNS request (to my understanding) are sent via localnet to Unbound, that get re-routed to WAN for an external request.
So , realistically my DNS request for facebook is always under Localnet if i'm monitoring LAN.

If i try on WAN instead i think i might got problems related to the fact that the WAN is a pppoe connection which doesn't really seem very much supported.
Any idea?
Thanks in advance

Instead of relying on `!LOCALNET`, modify the rule to specifically look for DNS traffic from your Unbound server's IP address to external DNS ports (usually UDP 53) on your LAN interface. However, this may not be directly possible with the predefined Suricata rules in the OPNsense GUI since `OPN_Social_Media` rules are often prepackaged.

Hey all,

For a project i am testing out the functionality of suricata opnsense within vmware.

i have the following configured as VMNET VMNET8 NAT (wan Survival Race) vmnet 11_12_13 LAN

My clients have their NIC set as vmnet 11 for example with a default gateway to the NIC on the firewall with the X.X.X.1 ip.

on my interface statistics i can see that all interfaces are taking in data but when i try a nmap scan etc the rule does not seem to alert even though it should be configured like that.

has anybody had any similar problems or think they may know what the problem is?-

Suricata needs to be enabled on the interface it sees traffic on. In your case, verify that: Suricata is enabled on VMNET11/12/13, which represent your LAN interfaces. You are scanning traffic across the firewall, not just within the same subnet (Suricata will not see traffic that does not cross the interface it is bound to).