OpenVPN Bridge (and SPAN) - No traffic

  • Like the title says, I'm trying to span all VPN traffic to an interface (a VLAN on the LAN NIC to be specific). I'm using my new SG-2220.

    I added the VPN to an interface (ovpns1 -> "VPN"), then created the VLAN (VLAN 8 on igb1 -> "VPNSPAN").

    I then went under Bridges and added "VPN_Span_Bridge" with "VPN" as the only member interface, and "VPNSPAN" as the Span Port. Here are the shortened (a-bridged ;) ) results:

    igb1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=500bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:08:a2:09:7f:9d
            inet6 fe80::208:a2ff:fe09:7f9d%igb1 prefixlen 64 scopeid 0x2
            inet netmask 0xffffff00 broadcast
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::208:a2ff:fe09:7f9c%ovpns1 prefixlen 64 scopeid 0x9
            inet --> netmask 0xffffffff
            nd6 options=21 <performnud,auto_linklocal>Opened by PID 37478
    igb1_vlan8: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=3 <rxcsum,txcsum>ether 00:08:a2:09:7f:9d
            inet6 fe80::208:a2ff:fe09:7f9d%igb1_vlan8 prefixlen 64 scopeid 0xa
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
            vlan: 8 vlanpcp: 0 parent interface: igb1
    bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            ether 02:9f:ac:9d:08:00
            nd6 options=1 <performnud>id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
            maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
            root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
            member: igb1_vlan8 flags=8 ifmaxaddr 0 port 10 priority 0 path cost 0</performnud></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></linkstate></up,pointopoint,running,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast>

    Now, I run the following on the pfSense appliance:

    tcpdump -nAi ovpns1 host

    I connect to VPN with my phone and browse imgur and I see the traffic going by.

    Now, I run this line:

    tcpdump -nAi bridge0 host

    And I don't see anything. Same for:

    tcpdump -nAi igb1_vlan8 host

    Does anyone know why this isn't working? Does this have anything to do with OpenVPN being in UDP or TUN mode? (I don't think Android works in TAP mode, so hopefully TUN is fine…)/

  • So it turns out this is because my OpenVPN server is in TUN mode. However changing to TAP isn't really an option as my primary device (Android phone) will no longer be able to connect.

    All I want is to feed a copy of every VPN packet to an IDS system. Everything that leaves igb1 gets SPANned by my switch to the IDS. Is there a way to accomplish this SPANning?

  • Rebel Alliance Developer Netgate

    Without using tap, there wouldn't be a way to do that in the GUI.

    If you feel like hacking the source, pf has a "dup-to" rule keyword to send copies of packets to another destination, you could add in some custom rules in using that. Very easy to break something though, and it would get wiped out on upgrade of course.

  • Hmmm, okay so I'm talking with a friend who is probably going to help me with writing/committing a kernel patch to FreeBSD to enable TUN bridging, but that could be a while to both write and get released :s

    So I'd heard about this pf rules thing and I briefly Googled it with no success. I'll look for anything about "dup-to" and how to write such a rule though. Although I'm confused when you say it's easy to break something. I assume you mean if I made a grammar error I might lose network access to the box to fix the problem? If so I assume having a serial connection would render me "safe" to issues?

    Thanks very much for the reply!

    EDIT: I can't find /etc/pf.conf… Where would I find existing rule files? I assume I can just add my own along side?

  • Rebel Alliance Developer Netgate

    The ruleset is generated by the code in, the rules are output to /tmp/rules.debug. You cannot edit that file directly, you'd have to edit /etc/inc/ and find a place to insert the rules in the code.

  • Great, thanks! I'll try this next time I have a network maintenance window (aka the gf isn't home and won't mind the Internet being out) and I'll post back if I get any good results!