SPAN interface to other interface for IDS monitoringe
-
Hello.
I would like to be able to create a span 'interface' in order to let an IDS (onion security) capture all the traffic over LAN interface
Pfsense setup
WAN (re0 assigned)
LAN (re1 assigned)
OPT1 (re2 assigned)When I used the bridge setup,I tried setting it up with interface LAN (which I want to sniff from) and OPT1 (on which i want to listen with the IDS).
I can choose the option to add an interface as 'spanned'. This can however not be the interface that is allready included in the bridge, and this bridge needs a minimum of two interfaces.I've tried a manual setup of the bridge using the real interfaces, but this doesn't seem to be picked up by pfsense:
#ifconfig bridge0 create
#ifconfig re2 up monitor
#ifconfig bridge0 addm re1 span re2 up
Could anyone help me on my way?
-
What help you need? You already are told in the GUI to NOT span ports that are already part of the bridge. Use another port that is NOT part of the bridge.
-
So I should simply create another (virtual) interface with no function other then to be able to create the bridge in the first place?
-
First of all you should not configure any such stuff via shell. It will make pooof and will be done after reboot at latest. If you do not have enough physical ports available, then yeah you'd have to use VLANs somehow, with a proper managed switch. (Note: never tested this.) All in all, when already having a proper switch, setting up port mirroring there would sound like a whole saner way to go.
-
Yeah why anyone would try and go this route is beyond me.. You don't have a switch that has managed ports but you want to run an IDS ;) Pretty much any smart switch supports port spanning.
here this $30 switch
http://www.newegg.com/Product/Product.aspx?Item=N82E16833704203does port mirroring/spanning, so what kind of crappy switch do you have that does not even do port mirroring - get one problem solved the correct way ;)
-
Don't try using a VLAN interface to workaround the limitation, bad things will happen. I tried it last week. ;)
What you can do though is remove the limitation in the GUI to have a minimum of two interfaces in a bridge. Then you can create a single interface bridge with LAN in it and add OPT1 as a span port. I have that exact setup running on my APU here as a test. Works great. I agree though that using a switch that can accomplish this is a better way to spend the money if you are doing that.
Jim created a patch for 2.2.1 you can use with the patches package though it's only one line you need to change: http://files.atx.pfsense.org/jimp/patches/bridge-single.patchEdit: Just noticed you are running 2.1 (why) so you can't use the patch directly. You can edit the file yourself though I've not tried it on anything other than 2.2.1.
Steve
-
Jim created a patch for 2.2.1 you can use with the patches package though it's only one line you need to change: http://files.atx.pfsense.org/jimp/patches/bridge-single.patch
And that's been committed for 2.2.2 and newer so no patch is necessary.
