Src/Dst Always WAN
Grunticus03 opened this issue · 2 comments
Inbound traffic always shows my WAN IP instead of the internal IP address the traffic is destined for. The same for outbound traffic always showing WAN IP as the source. Is this because Suricata is only set to monitor my WAN interface.
Most likely. You will have to think about what is actually happening on the wire at the point that Suricata is observing packets. Let's say that you have Suricata looking at packets on the Internet side of your router. This is after NAT has been applied to the outgoing packets, and NAT works by rewriting the IP header, changing the addresses and port numbers. So any traffic headed out of your router will look as if it came from your public IP, and any traffic inbound from the Internet will have a destination of your public IP. Suricata can behave in no other way, because that is all of the information it has available.
You will need to listen to traffic from within the private/internal side of your router to get the result that you are likely looking for.
That makes sense. Unfortunately, I have multiple LAN networks that would make monitoring on the internal side less than optimal given the hardware I am on; would have to configure multiple instances of Suricata. Thanks for the info.