Setting up a network tap

pokmoker · June 13, 2019, 3:49am

I have security onion installed on Linux VM on a computer that I have set aside specifically for security monitoring and want to set up a network tap out of my OpenWrt router because setting up a SPAN/traffic mirroring is not working. I have read several tutorials and this indicates I need to set up a VLAN through one of the ethernet ports on router - https://openwrt.org/docs/guide-user/network/vlan/switch_configuration

This is what configuration looks like now on the router panel -

So do I need to tag one of the ethernet ports? If so, doing what exactly? And how should I edit the "Switch" section of /etc/config/network? I did not see any posts in the forum on this subject prior so am interested in any recommendations on this....

Hegabo · June 13, 2019, 4:21am

Well, it isn't. The picture is trimmed. It doesn't show the existing VLANs you already have (normally hat should be one for LAN and one for WAN).

I'm not sure if you need it tagged or untagged, but thnik it should be untagged. Anyway, what you need to do is that in the switch page, for the LAN VLAN (typically VLAN 1, the first line in the switch configuration panel, you turn a LAN port off (you choose off form the drop down menu).

Then you add a third VLAN (let's call it VLAN 3). You set CPU to tagged, and the LAN port you turned off for VLAN 1, you set it to untagged.

As for the /etc/config/network, if you do the configuration in the GUI, it will update the file.

jeff · June 13, 2019, 4:33am

A switch isn't going to work as a "network tap" in its normal mode, as it will only forward packets to the interfaces where it knows the destination MAC address to be. VLANs don't change this.

Some switches support port mirroring, which is what you need to "tap" traffic on one port to a different port. For those switches, assuming the driver also supports it, it can be configured through swconfig.

From a different switch from yours

root@office:/home/jeff# swconfig dev switch0 help
switch0: mdio-bus.0(Atheros AR8327), ports: 7 (cpu @ 0), vlans: 128
     --switch
	Attribute 1 (int): enable_vlan (Enable VLAN mode)
	Attribute 2 (none): reset_mibs (Reset all MIB counters)
	Attribute 3 (int): enable_mirror_rx (Enable mirroring of RX packets)
	Attribute 4 (int): enable_mirror_tx (Enable mirroring of TX packets)
	Attribute 5 (int): mirror_monitor_port (Mirror monitor port)
	Attribute 6 (int): mirror_source_port (Mirror source port)
	Attribute 7 (int): arl_age_time (ARL age time (secs))
	Attribute 8 (string): arl_table (Get ARL table)
	Attribute 9 (none): flush_arl_table (Flush ARL table)
	Attribute 10 (int): igmp_snooping (Enable IGMP Snooping)
	Attribute 11 (int): igmp_v3 (Enable IGMPv3 support)
	Attribute 12 (none): apply (Activate changes in the hardware)
	Attribute 13 (none): reset (Reset the switch)
[...]

pokmoker · June 13, 2019, 4:06pm

apologies this is what it looks like

pokmoker · June 13, 2019, 4:15pm

So I need to add a new VLAN interface here @Hegabo and then modify on the switch page?

jeff · June 13, 2019, 4:36pm

Likely you will need to remove your “monitor” port from all VLANs and then use a script or command-line configuration to set up the monitor, if I understand your goal correctly.

Hegabo · June 13, 2019, 6:40pm

For VLANs in general, you do it in the GUI, the config file or the terminal. All do the same thing.

I don't know about network tap though or how it should be done. So you better follow @jeff's advice.

pokmoker · June 14, 2019, 1:27pm

I'm going back through documentation and forgive me for being a noob - what would you recommend doing to accomplish this? And this is a prerec to creating a new VLAN specifically for the tap?

jeff · June 14, 2019, 1:42pm

Again, no creation of VLANs involved.

You need to decide which port you want the traffic to appear on, and which single port you want to monitor. Let's say that you want to monitor port 1 and have the packets appear on port 4.

Remove all references to port 4 in your switch config
Manually, or by a script
- Set mirror_monitor_port to be 4
- Set mirror_source_port to be 1
- Set enable_mirror_rx
- Set enable_mirror_tx

I don't run LuCI, but it would surprise me if port-mirroring options were present. ~~This means command-line configuration.~~ OK, I'm surprised!!

lleachii · June 14, 2019, 7:25pm

It's there:

Screenshot%20from%202019-06-14%2015-25-40

pokmoker · June 18, 2019, 7:19pm

so I have a an ethernet cable plugged into Port 2, so I assume this is the port I want traffic to appear on - or is this to monitor? I want to plug the cable then into a laptop running a security onion VM

Does this look properly configured? Again sorry for my noobishness, I'm trying to figure out how to configure properly from GUI

jeff · June 18, 2019, 8:05pm

What port mirroring does it to take every packet (or just received or transmitted, if so configured) and make them appear on another "monitor" port. You can then hook up a "packet sniffer" to that monitor port and see all the packets that went in/out of the "source" port.

Usually, you don't want the monitor port to be a member of any VLAN ("off"), and most stand-alone switch prohibit a monitor port from being associated with any VLANs.

lleachii · June 18, 2019, 9:05pm

From your screenshot, you don't appear to have mirroring options.

pokmoker · June 18, 2019, 9:06pm

so it would be impossible to configure this router for a network tap? I have used it before for port mirroring via pre and post-routing rules in the firewall to a Raspberry Pi running an IDS

jeff · June 18, 2019, 9:11pm

You might have been able to duplicate packets that reached the kernel, but that is very different than port mirroring/monitoring. It doesn't capture all the packets that simply enter the switch on one port and depart on another.