Home networks in IDS/IPS

[hushcoden]

If I'm running the IDS on the WAN interface only, in the 'Home networks' section should I enter:

1) WAN address only

2) LAN networks only

3) WAN address + LAN networks

Tia.

[phoenix]

Run it on the LAN address and in the "Home Networks" add the WAN address.

[hushcoden]

Run it on the LAN address and in the "Home Networks" add the WAN address.

I can't run it on LAN as I'm using Sensei on LAN...

[hushcoden]

Anyone can give a definite answer, please ?

Thanks.

[mimugmail]

WAN and LAN

[ArminF]

If Sensei runs on LAN.
then WAN only for IDS/IPS.

[hushcoden]

If Sensei runs on LAN.
then WAN only for IDS/IPS.

So, are you saying that Suricata doens't need to know your LAN IP addresses if it runs on WAN only ?

[ArminF]

Referring to the picture attached and link https://docs.opnsense.org/manual/ips.html

Interface Selection
Suricata will listen on the interfaces you select. WAN and or DMZ.

Home networks
Define custom home networks, when different than an RFC1918 network. In some cases, people tend to enable IDPS on a wan interface behind NAT (Network Address Translation), in which case Suricata would only see translated addresses in stead of internal ones. Using this option, you can define which addresses Suricata should consider local.

Here actually you do not need to enter except you are outside of any 192.168 / 172.16 or 10.x.x.x network. I usually tend to enter it. Just to make sure Suricata can map the traffic from home to wan. As most of the home setups are in NAT Mode i would enter the local networks.

Hope this explains better.