Span port configuration question
-
I have an Alix 2d3 (3x nic) board running 2.0 and want to configure the third interface to just dump all the traffic going in/out of the WAN to an internal machine on my LAN running snort (the snort machine has 2 nics). I saw a way of setting up a span port when using a bridged interface but that is not very ideal for me. Is there a way to do this without having to use a bridged interface for my LAN/WAN?
-
From the ifconfig man page:
span interface
Add the interface named by interface as a span port on the
bridge. Span ports transmit a copy of every frame received by
the bridge. This is most useful for snooping a bridged network
passively on another host connected to one of the span ports of
the bridge.Not sure why that isn't ideal, it's exactly what you want.
There is a pf feature called dup-to (but we don't support it in the GUI) that will send duplicate copies of packets to a given host, but the only way to ensure you see all of the traffic would be to use a span port.
-
From the ifconfig man page:
span interface
Add the interface named by interface as a span port on the
bridge. Span ports transmit a copy of every frame received by
the bridge. This is most useful for snooping a bridged network
passively on another host connected to one of the span ports of
the bridge.Not sure why that isn't ideal, it's exactly what you want.
There is a pf feature called dup-to (but we don't support it in the GUI) that will send duplicate copies of packets to a given host, but the only way to ensure you see all of the traffic would be to use a span port.
Yes, that option is exactly what I want except I don't want to do bridged networking :(
-
Any particular reason? Or just a matter of preference?
-
Any particular reason? Or just a matter of preference?
Just preference really, I know it sounds silly but it's just how I wanted to do it. Even though it would work with bridged networking, it just isn't very ideal.
