Pass-through network config?

LarryPowel · February 4, 2021, 9:21pm

Can someone let me know how I can make this device a pass through one?
I want to connect it between my router and my LAN so I can use some tools to see all of the packets going through it. I don't have a switch that has port mirroring capabilities here.

The default network config is. What should it look like to be able to put this between my two devices?

Original was;
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdea:0503:2c25::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

mk24 · February 5, 2021, 1:54am

Remove the wan networks then add eth0 to lan along with eth1.
option network 'eth0 eth1'
This creates a software bridge between them which works like an unmanaged switch. All packets going in or out of either port will be seen by the kernel. So you can then attach tcpdump etc to either one and see the traffic.

dlakelan · February 5, 2021, 2:43am

That bridge solution would slow things down though. You could set up port mirroring and I think that's handled right in hardware right?

LarryPowel · February 5, 2021, 3:56am

Looking online, do you mean like this?

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth0 eth1'
        option force_link '1'
        option type 'bridge'
        option proto 'dhcp'
        option metric '20'

This is the ifconfig result;

br-lan    Link encap:Ethernet  HWaddr BE:91:2B:6E:45:60
          inet addr:192.168.1.140  Bcast:192.168.255.255  Mask:255.255.0.0
          inet6 addr: fe80::bc91:2bff:fe6e:4560/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:29 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2700 (2.6 KiB)  TX bytes:2696 (2.6 KiB)

eth0      Link encap:Ethernet  HWaddr BE:91:2B:6E:45:60
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:74490 errors:0 dropped:4 overruns:0 frame:0
          TX packets:1748 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4950729 (4.7 MiB)  TX bytes:236282 (230.7 KiB)
          Interrupt:36

eth1      Link encap:Ethernet  HWaddr 5E:10:73:00:96:0E
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:217380 errors:0 dropped:3226 overruns:0 frame:0
          TX packets:260 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:17420128 (16.6 MiB)  TX bytes:35268 (34.4 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:88 errors:0 dropped:0 overruns:0 frame:0
          TX packets:88 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7168 (7.0 KiB)  TX bytes:7168 (7.0 KiB)

I'm not sure what you mean dlakelan? I don't have a switch I can use port mirroring on which is why I'd like to use this router to monitor packets.

dlakelan · February 5, 2021, 11:18am

You don't say what device you are using. Does it not have a built in switch?

vgaetera · February 5, 2021, 1:48pm

ubus call system board; swconfig list

LarryPowel · February 5, 2021, 2:52pm

Sorry, I thought you meant an external switch, like on the LAN. The device is NanoPi R1S-H3.

mk24 · February 5, 2021, 3:27pm

On that board the two ports are separate chips, there is no hardware link between them. So you have to use a software bridge.

LarryPowel · February 5, 2021, 3:43pm

Is this how I have it configured now or do you mean I have to look into that next, a software bridge?

In terms of your comment dlakelan, "That bridge solution would slow things down", maybe it's ok as this device won't have much running on it.

# ubus call system board; swconfig list
{
        "kernel": "5.4.94",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "FriendlyARM NanoPi R1",
        "board_name": "friendlyarm,nanopi-r1",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r15673-abe348168b",
                "target": "sunxi/cortexa7",
                "description": "OpenWrt SNAPSHOT r15673-abe348168b"
        }
}

dlakelan · February 5, 2021, 5:12pm

It's all about how much traffic runs through it. If you're monitoring a bunch of internet of things low bandwidth devices, so you only ever have say 10Mbps at most going through it... hey it'll work fine. If you're monitoring an access point for a regular lan that might have 800 Mbps going through it, then it'll probably be capped to 100 or 200 by this setup.

LarryPowel · February 5, 2021, 5:16pm

Yes, I need to monitor everything going through the network which means it definitely could be fully saturated at times.

I am a little confused about the kind of hardware I should be using to take advantage of as much of the gigabit port speed as possible since the connection does get fully saturated fairly often.

Since this board has two separate chips, then this software bridge is my only option right? And if that is the case, does it look ok to you all now?

You mention a built in switch so I suppose this means I should be looking for a different hardware device to achieve what I need, one that has a built in switch then.

I needed an inexpensive device because I have a couple dozen locations where I need to gather up some data and there is barely a budget for this. it's why I put hope into this device.

dlakelan · February 5, 2021, 6:20pm

Buy a TP-link SG108e for $30 and configure it to mirror the port. It'll run at full gigabit speed.

mk24 · February 5, 2021, 9:23pm

For similar price I like the Zyxel GS1200-8 instead of the SG108E. Their new 2.0 firmware finally allows restricting management to one VLAN, which is an important security feature the TP-Link doesn't have.

dlakelan · February 5, 2021, 9:24pm

But does it offer the port mirroring? I haven't looked.

mk24 · February 5, 2021, 9:25pm

Yes, although I have never actually tried to use it.

slh · February 6, 2021, 12:09am

Used ZyXEL gs1900-8 switches aren't that expensive either, and you can even run OpenWrt on them (but the OEM firmware is quite nice as well, with a rather good feature set).

LarryPowel · February 6, 2021, 12:35am

I need the lowest cost, new, not used, least featured device since I'm only going to use it to monitor mainly network usage.

It is amazing that the TP-link SG108e is only $30.00 new and could do full gigabit speeds? There is a smaller SG105 but it doesn't have the e on the end which is something silly like $15.00. There is an SG105e which is $39.00 which would be a reasonable price. I just want fewer ports.

Two ports is all I need as the others would be wasted. I mainly just need to monitor overall bandwidth and data usage at different networks. It will connect between the router and the LAN and get a DHCP IP from the router. It won't do anything else, not even wireless.

mk24 · February 6, 2021, 1:41am

The SG105 or 108 without e are unmanaged switches.

The 5 port and 8 port are so close in price you're almost certain to wish that you paid a couple bucks more to have 3 more ports at some point.

A switch with mirror function doesn't analyze anything, it merely diverts a copy every packet out to another port like putting a tee into the line. (Due to how Ethernet works, at gigabit speed you can't just branch off the wires to have this effect). Then you connect the mirror port to a port on your analyzing system which is configured to be input only. This means the analyzing system needs another port to provide a way to log in and export its data.

dlakelan · February 6, 2021, 1:59am

Nah, you'll want them. The sg108e is better than the 105e and basically the same price.

You'll put your "uplink" on say port 8, and your "downlink" on port say 1, and then any port between 2 and 7 can be the "monitor link"...

for example, you mirror say port 8 to port 2... so now some device connected on port 2 can hear every packet that goes in or out of 8.

LarryPowel · February 6, 2021, 3:02am

Wait now, maybe I'm not explaining what I need clearly enough. I specifically do not want any other devices connected to this device, even accidentally which is why I would prefer a 2 port device. It is meant to be nothing more than an in-line bandwidth/data collection device, no more.