Archives
/
opensense-docs
mirror of https://github.com/opnsense/docs
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update ips-bypass.rst

Browse Source
pull/485/head
Monviech 9 months ago committed by GitHub
parent dc5d45ed0b
commit 0339c25ac1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 29 additions and 17 deletions
Show Stats Download Patch File Download Diff File

46
source/manual/how-tos/ips-bypass.rst
Unescape Escape View File

@ -1,21 +1,21 @@
==========================
IPS Bypass local traffic
IPS - Bypass local traffic from inspection
==========================
This tutorial explains how to bypass traffic between local attached networks. Following this tutorial will result in traffic only being inspected between external and internal networks.
This tutorial explains how to bypass traffic between local attached networks. Following this tutorial will result in traffic only being inspected between external (WAN) networks and internal (LAN) networks.
* Benefit: There will be faster routing performance between local attached networks when Intrusion Detection is enabled in IPS mode.
* Potential Risk: **Internal traffic** between local attached networks **WON'T be inspected anymore**, so use this with care!
-------------
Prerequisites
-------------
.. Note::
Some features described on this page were added in version 27.X.
Always keep your system up to date.
* Some features described on this page were added in the latest version. Always keep your system up to date.
* Intrusion Detection should be **Enabled** and **IPS mode** selected.
* There should only be **internal networks** selected in **Interfaces** (LAN, OPT1 etc..), not the WAN interfaces.
To start go to :menuselection:`Services --> Intrusion Detection`
|ids_menu|
To start go to :menuselection:`Services --> Intrusion Detection --> Administration`.
------------
User defined
@ -26,23 +26,35 @@ Select the tab **User defined**.
|ids_tabs_user|
-----------------
Create a new Rule
Create new Rules
-----------------
Select |add| to add a new rule.
Create a rule for each of the RFC1918 Private IPv4 address ranges. If you use IPv6, create an additional rule for your IPv6 Prefix.
Select |add| to add a new rule.
-----------------
Example Rules
-----------------
* Input the **Source IP** as IP with CIDR-Suffix or Prefix, e.g. ``10.0.0.0/8`` or ``2003:a:a:a::/56``
* Input the **Destination IP** as IP with CIDR-Suffix or Prefix, e.g. ``10.0.0.0/8`` or ``2003:a:a:a::/56``
* Select the **Action** as *Pass*
* Enable the **Bypass** checkbox
|ips_bypass_1|
.. image:: images/ips_bypass_rule_1.png
* Repeat the above step to create rules between each of the RFC1918 Private IPv4 subnets. (``192.168.0.0/16``, ``172.16.0.0/12``, ``10.0.0.0/8``). This will result in 9 rules.
* If you use IPv6, create additional rules between your IPv6 Prefixes. You can find them in :menuselection:`Interfaces --> Overview` at IPv6 prefix of the selected WAN interface. (e.g ``2003:a:a:a::/56``)
|ips_bypass_2|
-------------------
Apply configuration
-------------------
First apply the configuration by pressing the **Apply** button at the bottom of
the form.
.. image:: images/applybtn.png
..
.. |ids_menu| image:: images/ids_menu.png
.. |ids_tabs_user| image:: images/ids_tabs_user.png
.. |add| image:: images/ids_tabs_user_add.png
.. |ips_bypass_1| image:: images/ips_bypass_rule_1.png
.. |ips_bypass_2| image:: images/ips_bypass_rule_2.png
.. |apply| image:: images/applybtn.png

Write Preview
Loading…
Cancel
Save