==== Suricata on Opnsense as Transparent Bridge (3 interfaces) ====

== Initial Setup ==

  * Install base install, assign interfaces, DHCP or static IP with gateway on WAN, no IP on LAN and set static IP on OPT1, run updates from console
  * Disable the firewall by logging into shell and running

<code>
pfctl -d

</code>

Note: for some reason I had to keep turning it off to keep the connection open, release current as of 06/18/2021.

  * Log into the WebUI on the OPT1 interface and skip the Wizard.
  * Go to Firewall → OPT1 and create a rule to allow all in → save and apply changes
  * Enable the firewall by logging into shell and running

<code>
pfctl -e

</code>

  * Disconnect from OPT1 and reconnect to make sure your firewall rule stuck
  * Delete any rules from WAN/LAN interfaces then add allow all.

== Bridge WAN/LAN ==

[[https://docs.opnsense.org/manual/how-tos/transparent_bridge.html|https://docs.opnsense.org/manual/how-tos/transparent_bridge.html]]

  * Disable outbound NAT, go to Firewall → NAT → Outbound and select “Disable Outbound NAT rule generation”.
  * Set net.link.bridge.pfil_bridge from default to 1 in System → Settings → System Tuneables.
  * Disable filtering on member interfaces by changing net.link.bridge.pfil_member from default to 0 in System → Settings → System Tuneables.
  * Create a bridge of LAN and WAN, go to Interfaces → Other Types → Bridge. Add Select LAN and WAN.
  * Go to Interfaces → Assign → Available network port, select the bridge from the list and hit +.
  * Add an IP address to the interface that you would like to use to manage the bridge. Go to Interfaces → [OPT1], enable the interface and fill-in the ip/netmask. (use OPT2 if you have a 3rd NIC and have already used this for OPT1)
  * Go to Interfaces → [WAN] and unselect Block private networks and Block bogon networks.
  * Disable the DHCP server on LAN go to Services → DHCPv4 → [LAN] and unselect enable.
  * Go to Firewall → Rules and add a rule per interface to allow all traffic of any type.
  * Go to Firewall → Settings → Advanced → enable "Disable administration anti-lockout rule"
  * Remove the IP subnets in use for LAN and WAN by changing the interface type to none. Go to Interfaces → [LAN] and Interfaces → [WAN] to do so.
  * If you have a dedicated NIC to manage the firewall and have added OPT2 to the bridge interface for Internet access/updates/etc Go to Fireall → OPT2 and create a rule to block OPT2 in to "this firewall", make sure this rule is at the top of the rule list.
  * Or if you have a dedicated NIC to manage the firewall, disable OPT2 and add a gateway for OPT1 so that the firewall device can communicate with the Internet.

== IDS/IPS ==

  * Enable the system by going to Services → Intrusion Detection → Administration → check Enabled (don't enable IPS yet, IDS yes but IPS no)
  * Select the rules you want by going to Download then checking the rules you want then enabling them, follow-up by checking them again and downloading the rules.
  * After the download is complete go to the Rules tab and enable/disable the included rules (note: not all rules are enabled by default and there are about 92000 rules as of 06-17-2021).
  * Goto Schedule tab and enable a schedule for downloading rules updates, every 6 to 24 hours should be fine.