Suricata, Zenarmor , interfaces and vpn

Started by Monju0525, February 17, 2024, 02:26:12 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 17, 2024, 02:26:12 AM
I am currently using a vpn via Wireguard. It works great.
Zenarmor is assigned to the lan. What should Suricata (IDS)  be assigned to : the wan or the wireguard_interface?
Under the IDS advanced mode, do I need to modify home networks? The helps says  "Networks to interpret as local", what does that mean?
October 12, 2025, 04:37:38 PM #1
I know it's an old topic..

But I believe you should select your LAN interface only in Suricata. If not, correct me below via a reply comment.
Hardware: DEC3852
Version: OPNsense v25.7.5
February 03, 2026, 10:00:15 AM #2
Quote from: Monju0525 on February 17, 2024, 02:26:12 AMZenarmor is assigned to the lan. What should Suricata (IDS)  be assigned to : the wan or the wireguard_interface?
Zenarmor says: "When you use IPS & Zenarmor together, you can only use the WAN interface for Suricata."

If running Suricata on your WAN interface is a good idea, depends on your situation and your hardware ressources.

Someone on Reddit had the following experience with Suricata on WAN:
"We found that the cheapest of cheap rented DDoS attacks could overwhelm our machine because now not only were we using CPU cycles to block them with the firewall, but we were also inspecting every packet with Suricata as well. We would see CPU spikes to 99% and traffic ground to a halt. We went to LAN only, and now we only see the blips from these $20 DDoS attacks."
Print
Go Up Pages1
User actions