Transparent VLAN removal&addition
-
I have been told from "on high" we have to place a specific IDS in our network, and unfortunately it does not understand VLANs, it will drop any packet with a VLAN flag on it. I am hoping I can put a pfsense machine before and after it to remove&readd the needed vlans. Topology is as follows:
Main Switch
|
| trunk with vlan tagging
|
pfsense
|
| just a stream of packets, no vlans
|
Dumb IDS
|
| stream of packets
|
pfsense
|
| trunk again with vlan tags
|
Server SwitchThe IDS is not fully transparent, it either does ARP MitM of all traffic for systems on each side to get them to pass through, or it requires users actually connect to its IP, then passes the connection on from itself to the target server. If I use the first mode, I would also need pfsense to also correctly tag those based on the IP address in the ARP requests&replies.
Is this setup workable, and if so, what options will I to do it?
-
i don't know why'd you want to use pfsense to do this ….
i'm fairly confident 2x layer2 switch would be able to what you ask .... seems overkill to use 2x pfsense
also depending on the number of vlan's you have .... but if you want to use pfsense for this you need an equal ammount of physical interfaces + 1 on each pfsense.
-
that's not possible, you can't add tags back based on IPs, and you really don't want to deploy an IDS like that anyway, that's a huge mess.
-
@cmb i agree with your conclusion that this should not be done in that way
but look at this: http://www.zyxel.com/support/knowledge_base/kb_detail_8603.shtml
there seems to be a way to tag vlan's by ip
-
@cmb:
you really don't want to deploy an IDS like that anyway, that's a huge mess.
I COMPLETELY agree, sadly I have zero say in the matter, and I can not even choose where in the network it goes, I strongly suspect some external consultant was involved without my knowledge, and I am just stuck with it until management decides they don't like it.
So, I am stuck placing this thing in the core, and I really hope it gets scrapped shortly after deployment, as I highly doubt it will have "no noticeable impact" on the network performance, when saturating multiple 10Gig links is common.
look at this: http://www.zyxel.com/support/knowledge_base/kb_detail_8603.shtml
That might solve it, I will take a look at these. Only reason pfsense came to mind was I've had nothing but good experiences with it, and it has a rather impressive set of features, which I knew included some vlan support.
-
but look at this: http://www.zyxel.com/support/knowledge_base/kb_detail_8603.shtml
there seems to be a way to tag vlan's by ip
Because you can do something on a Zyxel switch doesn't mean you can do it on BSD or any other general purpose OS. Sure it's feasible to tag specific IPs to certain VLANs in theory, in practice to do so on FreeBSD means you're in for some kernel hacking.