• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Setting up a SPAN port for WAN mirroring

Scheduled Pinned Locked Moved HA/CARP/VIPs
5 Posts 4 Posters 8.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    CandSNetworking
    last edited by Sep 20, 2013, 4:07 PM

    I have just done a fresh install of PFSense 2.1 on my ALIX2. unit and want to utilize the 3rd interface port to send a mirror of the data going in and out of our WAN port.  This data will be send to a traffic analyzer.

    I have enabled IF #3, called it TA (for Traffic Analysis), setup a bridge utilizing the LAN and WAN ports (the wizard insisted that 2 interfaces are to be selected), and I set SPAN up on the TA labeled interface #3.

    Is that the correct configuration?

    There is a lot of good info for those CLI junkies, but no "baby steps" screen shot directions…. and most people are recommending against this on the PFSense box, but we have less than 30 nodes in our network and firewall performance is probably going to be minimally effected.

    Did I do this right?  If not, does anyone have a coloring book example of how to make this happen?

    Thanks,

    Sky

    1 Reply Last reply Reply Quote 0
    • S
      ssheikh
      last edited by Sep 23, 2013, 7:35 PM

      No. You do no want to bridge the LAN and WAN together.

      When you are talking about a layer 2 device, it does not make sense to have a device with just one user port and a span port. Which is why when you create a bridge interface in pfSense, you must have at least two interfaces assigned. So in your case your device will need at least 4 ports.

      The better solution would be to get a layer 2 device capable of creating a span port and attach your traffic analyzer to that span port.

      Or run the snort package on the firewall itself which I don't think you will have enough resources on the ALIX to run.

      Otherwise, there is no easy way to do what you are trying to do. By the time someone will be done explaining it in baby steps, the baby will be all grown up.

      1 Reply Last reply Reply Quote 0
      • C
        CandSNetworking
        last edited by Sep 24, 2013, 5:19 PM

        That is what I suspected, but I wanted to ask the question… I have a hp 5 port managed switch with really slick mirroring capabilities.  I just wanted to keep my hardware hops to an absolute minimum.

        Thanks SSHeikh!

        1 Reply Last reply Reply Quote 0
        • T
          twaters
          last edited by Nov 22, 2013, 11:42 PM

          So there is no way to off load all my traffic to something like Security Onion.  I have a Xeon based system with 2xWAN and 3xLAN connections. Would be nice to dump all that data off to SO with a 1:1 ratio with out using a Hardware TAP.

          1 Reply Last reply Reply Quote 0
          • B
            BBcan177 Moderator
            last edited by Nov 23, 2013, 1:16 AM

            I would recommend the Mikrotik RB260GS switch. Can mirror multiple ports to one sensor port and supports vlans.

            http://wiki.mikrotik.com/wiki/SwOS

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received