pfsense:suricata:wan_or_lan
PFSense - Suricata - WAN or LAN
Are there benefits or concerns to running it one way over the other that I should be looking at as a home user?
LAN is where you want it with NAT.
Otherwise, all the IP addresses you see in alerts will either be your WAN IP or some far-end Internet host.
You would never see any LAN IP addresses if you run it only on the WAN interface.
Without the LAN addresses, identifying an infected host on your LAN becomes quite hard.
This is because Snort / Suricata on the WAN only sees the traffic after NAT rules have been applied.
pfsense/suricata/wan_or_lan.txt · Last modified: 2020/07/15 09:30 by 127.0.0.1