This tutorial explains how to bypass traffic between local attached networks. Following this tutorial will result in traffic only being inspected between external and internal networks.
This tutorial explains how to bypass traffic between local attached networks. Following this tutorial will result in traffic only being inspected between external (WAN) networks and internal (LAN) networks.
* Benefit: There will be faster routing performance between local attached networks when Intrusion Detection is enabled in IPS mode.
* Potential Risk: **Internal traffic** between local attached networks **WON'T be inspected anymore**, so use this with care!
-------------
-------------
Prerequisites
Prerequisites
-------------
-------------
..Note::
* Some features described on this page were added in the latest version. Always keep your system up to date.
* Intrusion Detection should be **Enabled** and **IPS mode** selected.
Some features described on this page were added in version 27.X.
* There should only be **internal networks** selected in **Interfaces** (LAN, OPT1 etc..), not the WAN interfaces.
Always keep your system up to date.
To start go to :menuselection:`Services --> Intrusion Detection`
To start go to :menuselection:`Services --> Intrusion Detection --> Administration`.
|ids_menu|
------------
------------
User defined
User defined
@ -26,23 +26,35 @@ Select the tab **User defined**.
|ids_tabs_user|
|ids_tabs_user|
-----------------
-----------------
Create a new Rule
Create new Rules
-----------------
-----------------
Select |add| to add a new rule.
Select |add| to add a new rule.
Create a rule for each of the RFC1918 Private IPv4 address ranges. If you use IPv6, create an additional rule for your IPv6 Prefix.
-----------------
* Input the **Source IP** as IP with CIDR-Suffix or Prefix, e.g. ``10.0.0.0/8`` or ``2003:a:a:a::/56``
Example Rules
* Input the **Destination IP** as IP with CIDR-Suffix or Prefix, e.g. ``10.0.0.0/8`` or ``2003:a:a:a::/56``
-----------------
* Select the **Action** as *Pass*
* Enable the **Bypass** checkbox
|ips_bypass_1|
..image:: images/ips_bypass_rule_1.png
* Repeat the above step to create rules between each of the RFC1918 Private IPv4 subnets. (``192.168.0.0/16``, ``172.16.0.0/12``, ``10.0.0.0/8``). This will result in 9 rules.
* If you use IPv6, create additional rules between your IPv6 Prefixes. You can find them in :menuselection:`Interfaces --> Overview` at IPv6 prefix of the selected WAN interface. (e.g ``2003:a:a:a::/56``)
|ips_bypass_2|
-------------------
-------------------
Apply configuration
Apply configuration
-------------------
-------------------
First apply the configuration by pressing the **Apply** button at the bottom of
First apply the configuration by pressing the **Apply** button at the bottom of