I want to monitor everything passing through the WAN port (i.e. internet traffic) by duplicating all WAN traffic to a dedicated switch port.
I have already set up a dedicated port on the router and connected a Wireshark machine directly to it:
config interface 'monitor' option ifname 'eth0.2' option proto 'none' option ipv6 0 option auto '1' config switch_vlan option device 'switch0' option vlan '2' option ports '5 6t'
Wireshark is directly connected to port 5 and port 6 is the router cpu port. Without the
ipv6 0 I get unwanted ipv6 broadcasts showing in Wireshark (but at least that helps prove that part of the setup works). I've tried to set it up without an IP address or anything else so it isn't used for anything apart from the monitoring traffic.
I expect I should be able to do this with an iptables rule so I started by making a zone for the monitoring interface:
config zone option name monitor list network 'monitor' option input ACCEPT option output ACCEPT option forward ACCEPT
However, I don't know how to get frames to/from the
wan zone duplicated onto this
I have also tried using the
port-mirroring (installed using
opkg) with some config like this:
config 'port-mirroring' option 'target' 'eth0.2' option 'source_ports' 'pppoa-wan' option 'filter' '' option 'protocol' 'TZSP' option promiscuous '1'
Which I start like this
root@gateway:/etc/config# port-mirroring --debug 2017-11-22 13:58:42[info] port-mirroring::main, mirroring_type:[interface][TZSP], mirroring_source_num:, target:[eth0.2], filter:, opt_promiscuous:. 2017-11-22 13:58:42[info] port-mirroring::reopenSendHandle eth0.2 success.
I've also tried the
TEE protocol. I've also tried using another machine on the LAN as a port-mirroring target (i.e.
I sometimes see data in Wireshark and sometimes see nothing. What I do see is meaningless. Lots of output showing unfamiliar mac addresses, zeroes, meaningless numeric protocol numbers, "Ethernet II" or "Bogus IPv4" messages. It looks like garbage, like something isn't configured correctly.
In case it's relevant, the interface on the Wireshark end is brought up like this:
# echo 1 > /proc/sys/net/ipv6/conf/enp3s0/disable_ipv6 # ip link set enp3s0 promisc on # ip link set enp3s0 up
I have also tried to use
iptables-mod-tee without success. Various internet searches suggest commands like
$ iptables -t mangle -A PREROUTING -j TEE -gw 192.168.a.b $ iptables -t mangle -A PREROUTING -j TEE -gw 192.168.a.b
192.168.a.b is the monitoring station running Wireshark)
However these just give errors like
iptables v1.4.21: multiple -j flags not allowed. Further searching suggest this refers to a non-standard extension?
I did notice, when installing
# opkg install iptables-mod-tee Installing iptables-mod-tee (1.4.21-2) to root... Downloading http://downloads.lede-project.org/releases/17.01.2/packages/mips_24kc/base/iptables-mod-tee_1.4.21-2_mips_24kc.ipk Installing kmod-ipt-tee (4.4.71-1) to root... Downloading http://downloads.lede-project.org/releases/17.01.2/targets/lantiq/xrx200/packages/kmod-ipt-tee_4.4.71-1_mips_24kc.ipk Configuring kmod-ipt-tee. failed to find a module named nf_tee Configuring iptables-mod-tee.
I don't know whether
failed to find a module named nf_tee is an issue; the package did appear to install:
root@gateway:/etc/config# opkg list-installed | grep "mod-tee" iptables-mod-tee - 1.4.21-2
So I've tried a few ways to achieve this, only to end up hitting a wall.
Ideally I'd like to do this just with iptables but, if not, then with
port-mirroring or some other way...
Any guidance appreciated. I'd like to be able to get it working and then document it here.