Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up a SPAN port for WAN mirroring

    HA/CARP/VIPs
    4
    5
    8.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CandSNetworking
      last edited by

      I have just done a fresh install of PFSense 2.1 on my ALIX2. unit and want to utilize the 3rd interface port to send a mirror of the data going in and out of our WAN port.  This data will be send to a traffic analyzer.

      I have enabled IF #3, called it TA (for Traffic Analysis), setup a bridge utilizing the LAN and WAN ports (the wizard insisted that 2 interfaces are to be selected), and I set SPAN up on the TA labeled interface #3.

      Is that the correct configuration?

      There is a lot of good info for those CLI junkies, but no "baby steps" screen shot directions…. and most people are recommending against this on the PFSense box, but we have less than 30 nodes in our network and firewall performance is probably going to be minimally effected.

      Did I do this right?  If not, does anyone have a coloring book example of how to make this happen?

      Thanks,

      Sky

      1 Reply Last reply Reply Quote 0
      • S
        ssheikh
        last edited by

        No. You do no want to bridge the LAN and WAN together.

        When you are talking about a layer 2 device, it does not make sense to have a device with just one user port and a span port. Which is why when you create a bridge interface in pfSense, you must have at least two interfaces assigned. So in your case your device will need at least 4 ports.

        The better solution would be to get a layer 2 device capable of creating a span port and attach your traffic analyzer to that span port.

        Or run the snort package on the firewall itself which I don't think you will have enough resources on the ALIX to run.

        Otherwise, there is no easy way to do what you are trying to do. By the time someone will be done explaining it in baby steps, the baby will be all grown up.

        1 Reply Last reply Reply Quote 0
        • C
          CandSNetworking
          last edited by

          That is what I suspected, but I wanted to ask the question… I have a hp 5 port managed switch with really slick mirroring capabilities.  I just wanted to keep my hardware hops to an absolute minimum.

          Thanks SSHeikh!

          1 Reply Last reply Reply Quote 0
          • T
            twaters
            last edited by

            So there is no way to off load all my traffic to something like Security Onion.  I have a Xeon based system with 2xWAN and 3xLAN connections. Would be nice to dump all that data off to SO with a 1:1 ratio with out using a Hardware TAP.

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              I would recommend the Mikrotik RB260GS switch. Can mirror multiple ports to one sensor port and supports vlans.

              http://wiki.mikrotik.com/wiki/SwOS

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.