pfSense and Suricata to protect local services

Hi All,

I’m a long time fan of the Lawrence systems Youtube channel and I’m running pfSense (virtualized), FreeNAS etc with the help of these great videos.

Currently I’m changing the Suricata interfaces from “WAN only/catch all” to all individual networks (15). While this consumes a lot of more memory, it also gives me more insight on the local IP addresses on an alert. All of this based on the video:

Thing is, I’m also running local services (on pfSense) like OpenVPN and ACME auto certificate updates from Letsencrypt using TLS-ALPN on port 443.

If I switch to monitoring (and blocking alerts) on all interfaces (except WAN) in Suricate, do I loose protection of these internal services? A.k.a on which interfaces are these services ‘attached’?

Suricata watches what ever interface you tell it to and any services attached to that interface is watched as well.

Hi Tom,

Thanks for your reply. Yes I understand. But what I don’t understand is on what interface the local services (meaning the services running inside pfSense, like OpenVPN, ACME etc are on). I want to protect those as well. If I would select WAN in Suricata I assume everything is protected. But now I’m switching to the WAN site (all the individual VLAN interfaces) to reduce the noise and be able to see the actual internal IP’s instead of the WAN IP. But I’m not sure if the local services are then still protected. Do you understand where I’m going?

If you turn off Suricata on WAN and you have a port for OpenVPN on WAN Suricata will not be protecting it.

Ok thanks. Thats what I is was already afraid for.