Archives
/
opensense-docs
mirror of https://github.com/opnsense/docs
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dashboard
BGP_ASN_Alias_FR5913
rss
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0339c25ac1'
${ noResults }
opensense-docs/source/manual/how-tos/ips-bypass.rst

61 lines
2.3 KiB
ReStructuredText
Raw Blame History

==========================
IPS - Bypass local traffic from inspection
==========================
This tutorial explains how to bypass traffic between local attached networks. Following this tutorial will result in traffic only being inspected between external (WAN) networks and internal (LAN) networks.
* Benefit: There will be faster routing performance between local attached networks when Intrusion Detection is enabled in IPS mode.
* Potential Risk: **Internal traffic** between local attached networks **WON'T be inspected anymore**, so use this with care!
-------------
Prerequisites
-------------
* Some features described on this page were added in the latest version. Always keep your system up to date.
* Intrusion Detection should be **Enabled** and **IPS mode** selected.
* There should only be **internal networks** selected in **Interfaces** (LAN, OPT1 etc..), not the WAN interfaces.
To start go to :menuselection:`Services --> Intrusion Detection --> Administration`.
------------
User defined
------------
Select the tab **User defined**.
|ids_tabs_user|
-----------------
Create new Rules
-----------------
Select |add| to add a new rule.
* Input the **Source IP** as IP with CIDR-Suffix or Prefix, e.g. ``10.0.0.0/8`` or ``2003:a:a:a::/56``
* Input the **Destination IP** as IP with CIDR-Suffix or Prefix, e.g. ``10.0.0.0/8`` or ``2003:a:a:a::/56``
* Select the **Action** as *Pass*
* Enable the **Bypass** checkbox
|ips_bypass_1|
* Repeat the above step to create rules between each of the RFC1918 Private IPv4 subnets. (``192.168.0.0/16``, ``172.16.0.0/12``, ``10.0.0.0/8``). This will result in 9 rules.
* If you use IPv6, create additional rules between your IPv6 Prefixes. You can find them in :menuselection:`Interfaces --> Overview` at IPv6 prefix of the selected WAN interface. (e.g ``2003:a:a:a::/56``)
|ips_bypass_2|
-------------------
Apply configuration
-------------------
First apply the configuration by pressing the **Apply** button at the bottom of
the form.
..
.. |ids_menu| image:: images/ids_menu.png
.. |ids_tabs_user| image:: images/ids_tabs_user.png
.. |add| image:: images/ids_tabs_user_add.png
.. |ips_bypass_1| image:: images/ips_bypass_rule_1.png
.. |ips_bypass_2| image:: images/ips_bypass_rule_2.png
.. |apply| image:: images/applybtn.png
Reference in New Issue View Git Blame Copy Permalink