SPAN interface to other interface for IDS monitoringe

stephenreda · Apr 13, 2015, 7:05 AM

Hello.

I would like to be able to create a span 'interface' in order to let an IDS (onion security) capture all the traffic over LAN interface

Pfsense setup
WAN (re0 assigned)
LAN (re1 assigned)
OPT1 (re2 assigned)

When I used the bridge setup,I tried setting it up with interface LAN (which I want to sniff from) and OPT1 (on which i want to listen with the IDS).
I can choose the option to add an interface as 'spanned'. This can however not be the interface that is allready included in the bridge, and this bridge needs a minimum of two interfaces.

I've tried a manual setup of the bridge using the real interfaces, but this doesn't seem to be picked up by pfsense:

#ifconfig bridge0 create
#ifconfig re2 up monitor
#ifconfig bridge0 addm re1 span re2 up

Could anyone help me on my way?

doktornotor · Apr 13, 2015, 7:16 AM

What help you need? You already are told in the GUI to NOT span ports that are already part of the bridge. Use another port that is NOT part of the bridge.

stephenreda · Apr 13, 2015, 7:22 AM

So I should simply create another (virtual) interface with no function other then to be able to create the bridge in the first place?

doktornotor · Apr 13, 2015, 7:27 AM

First of all you should not configure any such stuff via shell. It will make pooof and will be done after reboot at latest. If you do not have enough physical ports available, then yeah you'd have to use VLANs somehow, with a proper managed switch. (Note: never tested this.) All in all, when already having a proper switch, setting up port mirroring there would sound like a whole saner way to go.

johnpoz · Apr 13, 2015, 12:08 PM

Yeah why anyone would try and go this route is beyond me.. You don't have a switch that has managed ports but you want to run an IDS ;) Pretty much any smart switch supports port spanning.

here this $30 switch
http://www.newegg.com/Product/Product.aspx?Item=N82E16833704203

does port mirroring/spanning, so what kind of crappy switch do you have that does not even do port mirroring - get one problem solved the correct way ;)

stephenw10 · Apr 13, 2015, 11:47 PM

Don't try using a VLAN interface to workaround the limitation, bad things will happen. I tried it last week. ;)
What you can do though is remove the limitation in the GUI to have a minimum of two interfaces in a bridge. Then you can create a single interface bridge with LAN in it and add OPT1 as a span port. I have that exact setup running on my APU here as a test. Works great. I agree though that using a switch that can accomplish this is a better way to spend the money if you are doing that.
Jim created a patch for 2.2.1 you can use with the patches package though it's only one line you need to change: http://files.atx.pfsense.org/jimp/patches/bridge-single.patch

Edit: Just noticed you are running 2.1 (why) so you can't use the patch directly. You can edit the file yourself though I've not tried it on anything other than 2.2.1.

Steve

cmb · Apr 13, 2015, 11:55 PM

@stephenw10:

Jim created a patch for 2.2.1 you can use with the patches package though it's only one line you need to change: http://files.atx.pfsense.org/jimp/patches/bridge-single.patch

And that's been committed for 2.2.2 and newer so no patch is necessary.