OpenWrt Forum Archive

Topic: Port mirroring on WRT1900AC

The content of this topic has been archived on 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi,

I'm trying to setup some port mirrorring on my brand new WR1900AC running OpenWRT CHAOS CALMER (Bleeding Edge, r45683).
The idea is to catch anything flying in or out on wan port and to redirect this to one of the port of the switch (physical port 4, logically named port 0 as per https://s3.amazonaws.com/Justin.Schuhma … ayout.png) to feed it to a snort sensor.
As the hardware lacks the capability to do this I'm trying to achieve this using daemonlogger (from snort.org), which was packaged at some point in the past in the OpenWRT distribution but which is not any more (I managed to compile it). The behavior of this piece of software is quite easy to understand : it captures the packets on a given interface using libpcap and replays it on an other given interface using libdnet.

Using the web interface, I've done the following things :
- modified the switch configuration as such :
  - VLAN 1 (local network) : P0 off, P1 untagged, P2 untagged, P3 untagged, P4 off, CPU untagged, P6 off
  - VLAN 2 (internet) : P0-P3 off, P4 untagged, P6 untagged
  - VLAN 3 (snort) : P0 untagged
- added one interface (in Network>Interface) ETHTAP alongside the existing LAN, WAN an WAN6. This interface is unmanaged and embeds only eth0.3.
- just in case, added a firewall zone "ethtap" embedding my ETHTAP interface with accept policy for input/output and forward.
And then typed "daemonlogger -i eth1 -o eth0.3".

... and it doesn't working (understand : if I tcpdump on the Pi2 on the other side of the relevant switch port I can't see any packet)

Interrestlingly,
- if I tcdump on interface eth0.3 of the router, I see a replay of the packets on eth1, so daemonlogger works
- if I put port 4 as tagged in VLAN 3 and 1 and if i put an IP address on eth0.3, I can ping the Pi2 from the router. So the port selection is good, the cable is good and the Pi2 sees the packets.

So I'm puzzled and would really appreciate some help !

/etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd88:cb5a:4f33::/48'

config interface 'lan'
    option ifname 'eth0'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option delegate '0'
    option ipaddr '192.168.0.1'

config interface 'wan'
    option ifname 'eth1'
    option proto 'dhcp'

config interface 'wan6'
    option ifname 'eth1'
    option proto 'dhcpv6'
    option auto '0'
    option reqaddress 'try'
    option reqprefix 'auto'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option vid '1'
    option ports '1 2 3 5'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option vid '2'
    option ports '4 6'

config switch_vlan
    option device 'switch0'
    option vlan '3'
    option vid '3'
    option ports '0'

config interface 'ethtap'
    option _orig_ifname 'eth0.0'
    option _orig_bridge 'false'
    option ifname 'eth0.3'
    option proto 'none'

/etc/config/firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option drop_invalid '1'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user' (empty)

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp'
    option src_dport '993'
    option dest_port '993'
    option name 'imaps'
    option dest_ip '192.168.0.14'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp'
    option src_dport '25'
    option dest_ip '192.168.0.14'
    option dest_port '25'
    option name 'smtp'

config zone
    option input 'ACCEPT'
    option output 'ACCEPT'
    option name 'ethtap'
    option forward 'ACCEPT'
    option network 'ethtap'

Take a look at the iptables tee module (iptables-mod-tee). It is often used to copy packets and send them to a machine running snort for analysis.

(Last edited by DBAA on 26 Jun 2015, 01:08)

It sounds like you just need to add port 5, tagged, to VLAN 3. Right now it exists solely in the switch, and with only one port it's not going anywhere.

The discussion might have continued from here.