I am playing around with Snort on a router behind an RV320 router. Funny thing is that it is getting port scanned from IPs from out on the WAN.
So the big question is, why are port scans getting through the RV320 firewall?
Everything is up to date...
There is no forwarding set up on this router. There are no ports open.
Tried one of those firewall testers and it said everything was ok. Makes no sense.
Have no idea how this traffic is getting in. Could it be leaking though someone on a VPN or an IOT device.
No real tweaks besides a couple of vlans.
Did more investigating with some other tools. I always noticed with snort that there would be a couple of scans and then nothing for a long while. What I just noticed with another tool is that when something new comes on the LAN there is a flood from the WAN right after that.
From what I can gather is that for some reason the firewall goes down, for a short while, when something connects to the LAN (VLAN to be exact).
@Scott Frank hello,
You can user a logs to know what address was sending a lot of packets to your wan interface on your firewall and try block it. To do same for the lan you can use a wireshark to mitigate what device do it.