Transparent Ethernet Bridge

I'm looking help with getting a transparent level 3 filtering bridge setup.

There are 3 ports on the device, eth0/eth1/eth2. Eth0/eth2 should be passthrough (no routing function, I just want to be able to use snort on the packet stream) and no firewall - strictly a security device.

eth1 will be connected to the router and pickup a DHCP address and used for luCi/Admin access.


The routerA's WAN port will connect to eth2, and eth0 connects to the upstream edge router. Eth1 will connect to routerA for admin and be served by the DHCP on the local stub.

I'm sure it's something easy, but it's giving me a hell of a run around. I do have console access, so losing connectivity to make the changes isn't an issue.

Any suggestions?

I think you actually just want to do this on Layer 2 (switched), not Layer 3 (routed).

Are the 3 ports on your OpenWrt router serviced by a switch chip, or are they individually addressed ports. For example, the EdgeRouter-X has 5 port switch that is VLAN aware, while the ER-Lite has 3 routed ports. That makes a big difference in your approach.

To create a 'pass-through':
Assuming you've got a switch chip, you can simply adjust the VLAN assignments such that eth0 and eth2 are on the same VLAN (which I guess would be associated with the WAN interface in the OpenWrt router), and then the eth1 port would be simply attached to the LAN interface within OpenWrt.

If the ports are not switched, you can put them together using a bridge. But since a bridge happens in software, there is a potential bottleneck there.

Do you mean sniff? (not to be pedantic, just trying to make sure I understand the question). Assuming that is the case, you will want to engage port-mirroring, which is actually different than the switched/bridged config I just described. I'm not sure off-hand if OpenWrt can easily provide a line-rate port mirror function -- a package does exist to port mirror, but performance could be well below line rate. For that you may want a standard smart switch that supports the feature because it is actually quite different than a 'passthrough' or switched configuration, but switches that have this capability can do it at line-rate.

Last thing to note -- if you are looking for packet sniffing, you will most likely be able to determine the type of traffic (protocols, destinations), but the content of the traffic will likely be encrypted (https, encrypted mail services, etc.).

Thank you for answering @psherman! My experience comes almost exclusively from the router aspect of OpenWrt. I have no idea what's actually ON the board, because Itus Networks went under shortly after the release. I know it uses the BGX PHY interface for Octeon3 (because I had to patch the network drivers in myself) if that helps. I honestly don't know if it has a switch internal or not, or if I even built support in for it.. I know in my router configuration for the device, eth1/eth2 are bridged over br-lan with a static IP and dnsmasq support, while eth0 is the WAN.

So, is there anyway to see if I actually built in the functionalty I needed to? My dev-box is in pieces right now, so I won't be able to test until later in the week if I need to recompile (and I can't do opkg installs from Openwrt)

I will mention the device has a fairly large RAM and storage capacity for if I need to build something in.

Sniff, or proxy and sniff. It depends on how much of a hit I see I suppose. The device was originally configed for a router, bridge and gateway mode (which didn't work) and used snort. I managed to get the master branch built for the device and running for the router (snort3 almost works perfectly, more or less :smiley: I think?)

But, I've been fumbling thru things, so bear with if I missed something! :slight_smile:

I will look into this when I get that system back up and running! Thank you!

Well, I've got part of it working!

root@Shield:/etc/config# cat network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config globals 'globals'
        option ula_prefix 'fd18:0640:804c::/48'
        option packet_steering '1'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0 eth2'
        option proto 'none'

config interface 'admin'
        option ifname 'eth1'
        option proto 'dhcp'

Snort seems to come up, but I have no way to test it. Seems to be working, can it really be that easy?