Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mirror VPN Traffic to External Interface

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 649 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      ma0f97
      last edited by

      Hey guys hope you can help me here.

      I have PfSense on Proxmox and have several interfaces connected to it. Now I want to monitor all these interfaces on another VM (SecurityOnion) which I can do easy with the Proxmox Virtual Interfaces / Networks, but what is missing is the decrypted "VPN_WG" Wireguard Interface which is only visible from inside the PfSense VM.

      How can I now mirror the traffic to an interface that is reachable from outside, so the traffic on it can be inspected?
      I researched and found that adding a Bridge with Span Port is the solution but it doesn't work.

      Here is what I tried so far:

      1. Added a new Network in Proxmox and attached it to the PfSense VM
      2. Assigned it as OPT5 in PfSense
      3. Enabled it
      4. Created new Bridge, with "VPN_WG" being selected as the Member Interfaces and "OPT5" as a Span Port:

      Screenshot 2023-08-26 at 03.14.37.png

      1. Assigned the new BRIDGE01 as "OPT6":

      Screenshot 2023-08-26 at 03.14.54.png

      1. Enable "OPT6" as well.

      Still there is no packet coming to the OPT5 interface even though VPN_WG is receiving packets.
      Do I maybe have to set a static IPv4 in either one of OPT5 or OPT6? I tried giving the OPT5 the IP Range of the Proxmox Network but with no success either.

      If anyone can help me I would really appreciate it.

      Greetings
      Martin

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Hmm, that's exactly what I would have suggested. Not sure I've ever tried it with a Wireguard interface though.

        Try mirroring a different interface as a test. Make sure that works first.

        Steve

        M 1 Reply Last reply Reply Quote 0
        • M
          ma0f97 @stephenw10
          last edited by

          @stephenw10 Hm interesting switching the member interface to "LAN" works. There are now packets coming to OPT5 outside the firewall.
          But why doesn't it work on the VPN interface?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Good question. I'd guess it's because they are sufficiently different interface types that they cannot be bridged.

            https://man.freebsd.org/cgi/man.cgi?query=bridge#DESCRIPTION

            The if_bridge driver creates a logical link between two or more IEEE 802 networks that use the same (or "similar enough") framing format.
            M 1 Reply Last reply Reply Quote 0
            • M
              ma0f97 @stephenw10
              last edited by

              @stephenw10 So there is nothing I can do? :/ Its just normal unecrypted (except TLS of course) traffic that can be observer with Wireshark etc. What could be wrong with the framing format?

              Maybe it would help to move the question to the Wireguard section if there are people who maybe known more about this?

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Yeah you could certainly ask in the WG sub. Someone has probably tried that.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.