Suricata IDS on pihole, port mirroring from openwrt device

Hi there!

As I read in issue 279 in the linux magazine, it can be a good idea to set up a suricata IDS on my pihole.
The problem for me is that I do not understand how I can get this to work. In the article, the author describes how to use a script to pull the data traffic from the Fritz!Box device, which is used as a router.

As I use openWrt I cannot fully make sense of this tutorial for my use.

Now I want to mirror the wan port to the port of my pihole. An example can be found here: solved-mt7530-dsa-port-mirroring

However this doesn't work on my device. I get the following error message:

RTNETLINK answers: Not supported
We have an error talking to the kernel
RTNETLINK answers: Not supported
We have an error talking to the kernel

So far, I don't know what to do with this. Besides that, I guess there is a mistake in my setup:
openWrtRouter.drawio
There seems to be a vlan setup in my router, to make use of all ports. At least, this is what I assume from my "ip neigh" output.
HINT: I will switch the connection to the my other router from eth0 to the actual wan interface as soon as I get home.

Does anyone have an idea how I can setup port mirroring correctly?

Thank you in advance!

I unplugged my connections, restarted and still get the error:

RTNETLINK answers: Not supported
We have an error talking to the kernel

It definitely has something to do with the tc filter add dev SNIFFPORT ingress matchall skip_sw action mirred egress mirror dev MIRRORPORT command. So far, I could not find any matching answer elsewhere

I found out what was wrong: For some reason, the skip_sw part does not work on my device.
For now, port mirroring works. On my TP-Link WR 1043nd the following command is the appropriate one: tc filter add dev SNIFFPORT ingress matchall action mirred egress mirror dev MIRRORPORT text

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.