Right now it complains of experimental support in libpcap using two interfaces in the same instance, but it runs. To enable intrusion prevention we need to migrate to ipfw or pf hooks, which takes care of that problem. If we have two instances, should they have completely separate configs?
Running on LAN will able you to take the infected host offline quickly. Running on WAN you only see the traffic src ahnd dest. IP which is the public one. Then you have to dig deeper to find the culprit.Notice time here is of essence. The faster you find it, the better for everybody.I run 2 instances of Snort on every single firewall that I have (46) to be precise for that exact reason.They run as frontend and then I have a L7 able backend to sort traffic further based on rulesets and buzzwords before passed on to the servers.
I actually tested it quite a lot in the case with SYN flooding and the sweet spot for pfsense/opnsense is 4 cores on the same socket and 4GB memory.It performs damn well on that exact combo and dont ask me why.Its like when you move across sockets something fucks up pf and the whole route of packets and the attached CPU's does a bad job spreading the load.