SPAN port on bridge only transmits received traffic.
-
I'm trying to setup a SPAN on my pfSense to mirror all the traffic I have on the LAN side of my network to a Security Onion for analysis. On the physical interface I'm using I've created VLAN tags for all networks, and the same for the physical interface I'm using for the SPAN. Then I made pfsense interfaces for all the those network VLANs and span VLANs. Then I made a bridge for each VLAN with the network VLAN as a member and the span VLAN as a SPAN member. Lastly I setup all my networking configs over to the new bridge interfaces and switched the system tunables to filter on the bridge interfaces. All the regular traffic seems to working as expected, I can access the internet and network resources as before. The problem is that I'm not getting the volume of traffic I'm expecting on the SPAN port. It looks SPAN side is only transmitting traffic that is physically received on the network side, I'm getting none of the traffic that the pfSense is transmitting on the network side. My expectation of a SPAN port has always been that it transmits everything that the target port transmits and receives. Did I setup something wrong or is this just the way it is?