Date: Tue, 12 Aug 2014 22:27:11 -0400 From: "Joseph Ward" <jbward@hilltopgroup.com> To: <freebsd-net@freebsd.org> Subject: RE: SPAN port doesn't pick up locally generated traffic Message-ID: <08f701cfb69e$1698e2c0$43caa840$@com>
next in thread | raw e-mail | index | archive | help
I found a workaround that is acceptable. First, I want to thank Hiren Panchasara for recommending the work-around that I hadn't thought about trying. For the archives and anyone struggling with the same issue: I altered the setup below by giving the LAN IP to the wired interface re1 as opposed to bridge0. Doing that magically made the span port (re2) get all the traffic, both passing through in re1 and out ath0 (and vice versa) as well as the packets that originate inside the system and are passed to the bridge. This isn't ideal as it means that if the physical interface re1 goes down, clients on ath0 will lose connectivity to the system, and I had always understood that when bridging it's ideal to give the IPs to the bridge itself to protect against that possibility. However, I can give each interface another IP on a different subnet that will at least allow for remote connectivity in that scenario. Does anyone know if this is known/expected behavior? If no one knows I'll file a bug ticket on the scenario as it certainly doesn't seem kosher to me. Thanks everyone, -Joseph -----Original Message----- From: Joseph Ward [mailto:jbward@hilltopgroup.com] Sent: Tuesday, August 12, 2014 4:27 PM To: 'freebsd-net@freebsd.org' Subject: SPAN port doesn't pick up locally generated traffic Hi, I have built a firewall/routing box utilizing FreeBSD and need to mirror all of the lan-side traffic before it is NATed to another box which will have traffic analysis software running on it. The firewall box has 4 interfaces: 3 wired (re0, re1, re2) and 1 wireless (ath0). re0 is the internet port (WAN), re1 and ath0 are bridged into bridge0 which has my LAN IP (so that both my wired and wireless systems are all on the same physical network), and re2 is a member of bridge0 as a SPAN port. A tcpdump on the SPAN (and on the analysis box) shows that all packets which enter the system via ath0 and re1 are mirrored appropriately, but if the packets originate either on the WAN port (re1) or internal to the firewall box (ping a LAN endpoint from the firewall shell) the packets are not present on the SPAN port. tcpdump on bridge0 captures the packets, so they're definitely on the bridge. In order to eliminate all possibilities I ran a liveCD of FreeBSD 10 on a box with 4 interfaces with em0 and em1 bridged together into bridge0 with em3 as a SPAN port for bridge0. No firewall, no ports, nothing has been installed or configured. On this box, any packets which physically enter either em0 or em1 (the bridged interfaces) are SPANned, but nothing that originates on the fresh box shows up on the SPAN. Again, the packets originating on the system show up on a tcpdump of bridge0. I'm not much of a system-level programmer, but it certainly looks as if my expected behavior is "proper" based on if_bridge.c and the comment before "bridge_output" function which definitely has a "bridge_span" call when sending unicast with locally generated traffic which is what I'm doing here. Am I missing something? A configuration variable somewhere perhaps? Or is this a bug somewhere? Any help would be greatly appreciated!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?08f701cfb69e$1698e2c0$43caa840$>