Getting started with IDS/IPS behind NAT

[beneix]

I am confused by the manual/howto, specifically the text under "Choosing an interface" that mentions NAT and the WAN interface.

Because my ISP's router can't be put in bridge mode, I have set it to regard my OPNSense router as DMZ, so all traffic gets passed through to the OPNSense router and the OPNSense WAN interface gets an IP address on the ISP router. In this situation, can I get proper benefit from activating Suricata on the WAN interface to catch and stop intrusion attempts, or is this not possible?

[technotic]

Hello,

TL;DR: yes, this will work essentially the same, from security side. Some problems may occur with network traversal from double NAT though. Using DMZ averts most of these. Use a static IP on the opnsense WAN port and set that IP as the DMZ ip on the ISP equipment.

references:
https://www.erikoest.dk/b_d_uk.htm#:~:text=Bridge%20mode%20%2F%20DMZ%20(in%20English),-Multiple%20routers&text=If%20your%20ISP%20(Internet%20Solution,Wide%20Area%20Network%20(WAN).
https://www.practicallynetworked.com/fixing-double-nat/



-- Breakdown --
So your modem is essentially another router (an edge router technically) which sits at the edge of your network infrastructure and is the gateway between your network(s) and the rest of the world (the internet). It obtains an IP address from your ISP, and then uses NAT to share the connection with your network. This is pretty much known by everyone but just throwing it out there for context.

By connecting your opnsense box's WAN to the router set up as DMZ, all inbound traffic should be getting passed to the opnsense box. proper DMZ operation would pass incoming connection attempts, etc to the opnsense WAN. your opnsense box will, in default configuration, provide NAT to your LAN devices as well. This causes double NAT. But because you have DMZ set for your opnsense device, you *SHOULD* be fine.

I emphasize *should* because it seems every consumer has a different idea of what they define as a DMZ. The first article above talks about using DMZ in place of bridge mode. Assuming your ISP's device's DMZ mode works as it should and the opnsense box is the only device directly connected to the modem, then it should work fine.

Make sure you define the static IP on your opnsense WAN port to match the one set as DMZ in your ISP equipment, otherwise you'll start having problems if your opnsense WAN ip changes.

EDIT: just realized you wrote this back in November    but i'll leave this here in case someone else with the same question comes along. maybe you or a moderator can change the title to better direct people with this question? and move it to the general forum? something like "Using OPNsense device on ISP equipment as DMZ when unable to use bridge mode" or.. it might already be covered in a sticky there.