Setting up network security monitor w/ Openwrt

I am currently trying to create a network security monitor system with the following:

Openwrt Router

TL-SG108E switch (VLAN2 is Port 1 and 2, VLAN1 3-8)


Windows Laptop running Virtualbox w/ Security Onion

Modem -> Switch Port 1, Router WAN -> Switch Port 2, Router LAN -> Switch Port 3, Laptop w/ SecOnion -> Switch Port 8

Whenever I plug the modem into Switch Port 1 and the Router’s WAN into Switch Port 2, the internet connection dies as shown here in the screenshot. Any suggestions on what I should try instead? And how can I make sure the cable going from the Router to Port 3 on Switch is going to the LAN interface on the router?

I don't want to derail your questions, but I have to ask you about the topology.

Any particular reason why the switch is before the router? Is this a layer 3 switch? Everything coming off or going onto the internet is layer 3, and being directly connected to a layer 2 switch seems like an issue to me. I don't know, maybe this is the new and better way of connecting securely to the internet?

Also, how are you liking Security Onion? Are you using SNORT? and do you have clients connected to the laptop so that it can inspect traffic?

To the specific question, a failure like that could be caused by configuring the switch ports as tagged.

If you’re trying to monitor the traffic, I think you need a very different setup. Switches don’t send all traffic to a port like hubs used to. Even if you “fix” the tagging, you will see nothing but broadcast packets on your VM.

If you want to “tee” the traffic, either that switch or the one in your router needs to be configured to “mirror” traffic from one port to a monitor port. Basically, connect the modem to port 1, the router’s WAN to port 2, mirror port 2 (rx/tx) to port 3 and connect your VM there.

It’s very difficult to mirror the wireless traffic that goes to the LAN (or back out on wireless), or any LAN traffic that stays on the LAN. To monitor the wireless traffic you need software running on the router, either tee at the network level or something like tcpdump. To monitor LAN traffic, an external switch that can mirror an entire VLAN would be needed, if you have more than one wired device.

Edit: Running everything through a switch, L2 or L3, has no challenges and, with a sophisticated switch, allows for easy topology changes, VLAN trunking, as well as monitoring any port or VLAN. A sophisticated switch can also help prevent rogue DHCP servers, and other “threats”.