Span port (mirror port)

  • After scanning these forums for a while, I couldn't find a good solution to making a span port with any of the solutions presented. I couldn't find any information on dup-to or bridging that made any sense (actually couldn't find any information on dup-to anywhere). I remembered that m0n0wall is similar to pfsense so I went with a solution I found on there, and it worked. :-)

    My specs:
    2.0-RC3 (i386)
    eth0 - WAN
    eth1 - LAN
    eth2 - SPAN

    Note: you need a cross-over cable to get this to work (unless you have gigE which is autosensing)
    All you have too do to get the span port working is from the command-line run:
    #ifconfig bridge0 create
    #ifconfig eth2 up monitor
    #ifconfig bridge0 addm eth1 span eth2 up

    Read about it here if you like:

  • Rebel Alliance Developer Netgate

    On 2.0 you can do this with the advanced settings under Interfaces > (assign), on the Bridges tab.

  • Bumping an old thread. It seems that current bridge functionality in 2.0 requires (atleast) 2 bridge members. This is not what one would want when mirroring one port and its not what sakebomb did via cli.

    Wonder why the limitation?

  • Is there a way doing this using the webinterface of 2.0.1?

    Can someone please explain sakebombs solution in more detail?

    #ifconfig bridge0 create
    #ifconfig eth2 up monitor
    #ifconfig bridge0 addm eth1 span eth2 up

    I understand the first line creates a virtual interface, I don't understand the "monitor" argument in the second line, also I am not sure what "addm" means in line 3? maybe add monitor?

  • Rebel Alliance Developer Netgate

    From the ifconfig man page:

        Put the interface in monitor mode.  No packets are transmitted,
        and received packets are discarded after bpf(4) processing.

    And addm adds a member to the bridge.

  • thank you jimp, I googled the wrong ifconfig manpage ;-)

    a question on creating the bridge from a newbie like me:
    I currently have a vlan interface, lets call it vlanForMonitoring. There's always only one client connected to it, this client shall be used for analyzing traffic from and to the wan interface.
    Can I do something like the following?

    #ifconfig bridge0 create // create the bridge
    #ifconfig vlanForMonitoring up monitor // set vlan interface to monitoring
    #ifconfig bridge0 addm wanInterface span vlanForMonitoring up // bridge wan to the monitored interface

    How about Firewall rules? Is the bridge enough to pass traffic from WAN to vlanForMonitoring or do I still have to create firewall rules? How would they have to look like? Thanks for any hint :-)

Log in to reply