crowdsec only on WAN

Started by zzup, July 16, 2025, 07:30:24 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 16, 2025, 07:30:24 AM Last Edit: July 16, 2025, 07:14:18 PM by zzup
Is there a way to configure crowdsec to only be active on the wan?  I have Zenarmor protecting the LAN and am mainly protecting a few ports open for gaming. I have been having problems getting to websites randomly with crowdsec enabled and figured I should just turn off the LAN side as Zenarmor handles that
July 23, 2025, 03:49:36 AM #1
Quote from: zzup on July 16, 2025, 07:30:24 AMIs there a way to configure crowdsec to only be active on the wan google doodle baseball?  I have Zenarmor protecting the LAN and am mainly protecting a few ports open for gaming. I have been having problems getting to websites randomly with crowdsec enabled and figured I should just turn off the LAN side as Zenarmor handles that

The primary way to control the traffic that CrowdSec processes is through the acquisition file, typically located in `/etc/crowdsec/acquis.d/` (or similar, depending on your operating system and installation method). You will need to specify which interfaces or IP ranges CrowdSec should listen on or exclude. You can use the method of specifying the WAN Interface in Acquisition.
July 23, 2025, 10:28:25 PM #2 Last Edit: July 23, 2025, 10:32:08 PM by jonny5
As the CrowdSec Parser Agent that is installed will parse what it is told to from the `/usr/local/etc/crowdsec/acquis.d/*.yaml` and `/usr/local/etc/crowdsec/acquis.yaml` on the OPNSense, it is more about the detail there, and the Allowlists and other pre and post processing you configure.

That all said, by default the plug-in's CrowdSec Agent Parser will parse the firewall/pf logs. You can have it parse more, such as Suricata, and in this case it would be up to you to configure Suricata to only look at WAN or to have CrowdSec collect the logs and apply that filter logic in the acquis details and follow-up pre/post processing configs respectively.

The OPNSense CrowdSec plug-in also includes a Blocker Agent, it will listen to your LAPI (the Server side of your local CrowdSec plug-in) and update the WAN only blocklist the is configured as a part of the plug-in installation. This already meets your needs from what I understand.

!! Major extra / might not be on your focus !!:

You can do more to modify and retain your modification for the CrowdSec plug-in btw...

From using an external LAPI, to not using the Blocker Agent (keeping only the Parser Agent active on the OPNSense)

Then, making your own Alias and Firewall rules to use the CrowdSec list where and how you want

I have not published my how to on how to do this, as, it isn't really as good as I'd like it to be (it works but on a 10 second scale of update, and updates/refresh to the Alias active content, has took 7 seconds in the past) so once I learn how to update the data in the PF alias list on the back end of OPNSense... I'll post a blog entry on doing more with the CrowdSec feature. Likely I just need to look more into doing a manual install of CrowdSec's FreeBSD blocker on an OPNSense.
Custom: ASRock 970 Extreme3 R2.0 / AMD FX-8320E / 32 GB DDR3 1866 / X520 & I350 / 500GB SATA
Print
Go Up Pages1
User actions