Port mirroring on Archer C7

Hello, I have some n00b questions about port mirroring on my Archer C7 v2. I'm running OpenWrt 21.02.1, but since it seems like DSA support is still in the works for this target, am using swconfig.

I would like to mirror my lan traffic to send it to a IDS sitting on port 4. But when I grab the mirrored input via tshark, I only see traffic originating from wired clients, not wireless clients. If I'm understanding this diagram correctly, I think I should get this traffic just by mirroring eth1: https://openwrt.org/_detail/media/tplink/tl-wdr7500/archerc7v2-switch-diagram.png?id=toh%3Atp-link%3Aarcher-c5-c7-wdr7500

From Luci -> admin -> network -> switch, I have all three checkboxes (enable vlan, mirror incoming, mirror outgoing) checked. My mirror source port is CPU (eth1), and my monitor port is lan 4 (where my IDS host sits). My VLAN setup is the out of the box setup, with LAN 4 turned off: vlan1, eth1 tagged, eth0, off, ports 1-3 untagged, port4 off, wan off; vlan2, eth1 off, eth0 tagged, ports 1-4 off, wan untagged.

From admin->network ->network, I have a single bridged lan interface that includes a sw vlan at eth1.1, plus wlan0, plus wlan1 (one for each radio). It is tied to the device br-lan. If I go to the devices tab for br-lan, I see that the bridge port is (again) eth1.1, and it comes with this note: Specifies the wired ports to attach to this bridge. In order to attach wireless networks, choose the associated interface as network in the wireless settings.

From admin -> network -> wireless, if I look at the interface configurations options for each radio, it just shows "lan" as the option. Should this be eth1.1 instead?

I am sure I bolloxed this up with some of my earlier science experiments, but am quite stuck here and would be grateful for any advice.

Not sure of the answer sorry, just some thoughts:

• What is actually doing the mirroring? The CPU or the switch chip itself?
  ** If the CPU: everything should work. (do this via firewall rules maybe?)
  ** If the switch chip: you might not see some traffic, eg someone on wifi accessing an IP of the router itself.
• Shouldn't you be mirroring br-lan, not eth1?
• br-lan will be a little weird because bridging wireless and ethernet interfaces has some gotchas, they are not identical protocols.
• on that note: I don't think you can "mirror" wifi frames/packets over an ethernet link without encapsulating them in something first (eg by using a userspace program) or modifying them (eg via firewall rules maybe?)

Hi @CopperCassette, thanks for your reply. You got me pointed to firewall rules, and this reply by @Methos at https://superuser.com/questions/755668/mirroring-all-router-traffic-openwrt-to-a-snort-sensor is what ultimately worked for me.

Specifically, I left my vlan config on but unchecked the "mirror incoming/outgoing packets" options on the switch page, and then installed the openwrt tee package and used the tee option to add these custom firewall rules:

iptables -A POSTROUTING -t mangle -o br-lan ! -s 192.168.1.172 -j TEE --gateway 192.168.1.172
iptables -A PREROUTING -t mangle -i br-lan ! -d 192.168.1.172 -j TEE --gateway 192.168.1.172

where 192.168.1.172 is my monitoring host. With a firewall reboot I can see the wired and wireless LAN host packet traffic on my monitoring host.

I expect I will revisit this once I migrate to the dsa architecture, but I am happy for now. Thanks!

Very glad you found a working solution Thankyou for sharing it.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.