mirror of https://github.com/opnsense/docs
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
61 lines
2.3 KiB
ReStructuredText
61 lines
2.3 KiB
ReStructuredText
==========================
|
|
IPS - Bypass local traffic from inspection
|
|
==========================
|
|
|
|
This tutorial explains how to bypass traffic between local attached networks. Following this tutorial will result in traffic only being inspected between external (WAN) networks and internal (LAN) networks.
|
|
|
|
* Benefit: There will be faster routing performance between local attached networks when Intrusion Detection is enabled in IPS mode.
|
|
* Potential Risk: **Internal traffic** between local attached networks **WON'T be inspected anymore**, so use this with care!
|
|
|
|
-------------
|
|
Prerequisites
|
|
-------------
|
|
|
|
* Some features described on this page were added in the latest version. Always keep your system up to date.
|
|
* Intrusion Detection should be **Enabled** and **IPS mode** selected.
|
|
* There should only be **internal networks** selected in **Interfaces** (LAN, OPT1 etc..), not the WAN interfaces.
|
|
|
|
To start go to :menuselection:`Services --> Intrusion Detection --> Administration`.
|
|
|
|
------------
|
|
User defined
|
|
------------
|
|
|
|
Select the tab **User defined**.
|
|
|
|
|ids_tabs_user|
|
|
|
|
-----------------
|
|
Create new Rules
|
|
-----------------
|
|
|
|
Select |add| to add a new rule.
|
|
|
|
* Input the **Source IP** as IP with CIDR-Suffix or Prefix, e.g. ``10.0.0.0/8`` or ``2003:a:a:a::/56``
|
|
* Input the **Destination IP** as IP with CIDR-Suffix or Prefix, e.g. ``10.0.0.0/8`` or ``2003:a:a:a::/56``
|
|
* Select the **Action** as *Pass*
|
|
* Enable the **Bypass** checkbox
|
|
|
|
|ips_bypass_1|
|
|
|
|
* Repeat the above step to create rules between each of the RFC1918 Private IPv4 subnets. (``192.168.0.0/16``, ``172.16.0.0/12``, ``10.0.0.0/8``). This will result in 9 rules.
|
|
* If you use IPv6, create additional rules between your IPv6 Prefixes. You can find them in :menuselection:`Interfaces --> Overview` at IPv6 prefix of the selected WAN interface. (e.g ``2003:a:a:a::/56``)
|
|
|
|
|ips_bypass_2|
|
|
|
|
-------------------
|
|
Apply configuration
|
|
-------------------
|
|
|
|
First apply the configuration by pressing the **Apply** button at the bottom of
|
|
the form.
|
|
|
|
..
|
|
|
|
.. |ids_menu| image:: images/ids_menu.png
|
|
.. |ids_tabs_user| image:: images/ids_tabs_user.png
|
|
.. |add| image:: images/ids_tabs_user_add.png
|
|
.. |ips_bypass_1| image:: images/ips_bypass_rule_1.png
|
|
.. |ips_bypass_2| image:: images/ips_bypass_rule_2.png
|
|
.. |apply| image:: images/applybtn.png
|