Hi Guys,
I am planning on installing a separate RPi on my home network with Snort installed on it to have a network wide overview of network traffic and block some if required.
My query is can we setup Phihole(already installed)+Unbound(already installed)+Snort on single RPi or should i just with separate RPi for snort.
The flow of the network would be as follows
Host --> Pihole --> Snort (to view all traffic) --> Gateway
Thank you.
Your perception of above flow is wrong:
Pi-hole does only receive and answer DNS protocol traffic, which typically involves only small amounts of data and thus is but a tiny fraction of your network's total traffic.
For that reason (and because pihole-FTL has been streamlined and optimised for speed in a low resource environment), a low power, low perf machine like an RPi Zero can easily handle DNS traffic, even in large home networks.
Snort, on the other hand, is a network intrusion detection system that has to inspect all of your network traffic. I would set it up on a separate machine that's up to that task. Depending on your network size and usage, that machine's network connection may quickly become a bottleneck, so most RPi models may not be suited for the job (only the latest RPi 4 has true GBit ethernet).
Ohh i see the mistake i made.
I meant to depict following flow (just for this purpose I am using 2 diff flow)
Host --> Pihole (DNS req & response) --> Host --> Snort --> Router --> Internet
And i guess as you said I will move ahead with diff RPi altogether and yes I am planning to get the RPi4B+ 8gb variant. WIll be doing the pilot run using my friends RPi (same version as i plan) and then will go ahead with purchase and final setup.