18

I want to mirror all traffic (also VPN, WLAN, WAN) from a consumer router (TPLink WR1043ND v.1.x) to a snort sensor located in the same network, but without extra hardware! The mirroring has to be done by the router (running OpenWrt Barrier Breaker).

Mirroring the WAN port of the router would even be supported by the current firmware, but the data of this stream is useless to me, because it does not contain the internal IPs of the devices connected to the router! I want the mirrored traffic from inside the router, with all internal IPs.

So, I quickly thought about tcpdump -i any. But to my knowledge it is not possible to configure 'tcpdump' to stream the mirrored traffic directly to the snort sensor? (without generating and saving enormous pcap-files to the harddrive)?

How do I solve this?

Appendix: Would this work with using iptables --tee option mirroring all traffic? I think I would need to install this 'TEE iptables extensions' ipkg or this 'Kernel modules for TEE' ipkg from the OpenWRT repository in order to work? Would this work or do I need something else?

user3200534
  • 335

3 Answers3

7

Yes iptables TEE works. I have a tplink router and I am mirroring the traffic exactly for the same reason as you.

Install all the necessary modules and packages for TEE.

Assuming your monitoring IP address is 10.1.1.205, run:

iptables -A POSTROUTING -t mangle -o br-lan ! -s 10.1.1.205 -j TEE --gateway 10.1.1.205

iptables -A PREROUTING -t mangle -i br-lan ! -d 10.1.1.205 -j TEE --gateway 10.1.1.205
AK_
  • 188
Methos
  • 186
3

It is now possible to set up port mirroring on OpenWrt via the Switch configuration. This can be done using the OpenWrt web interface (LuCI) by going to the Network->Switch menu then enabling 'Enable mirroring of incoming packets' and/or 'Enable mirroring of outgoing packets' and setting the desired interfaces (The 'Mirror source port' is where you want to mirror traffic from and the 'Mirror monitor port' is where it is mirrored to). It may also be necessary to alter VLAN settings on the switch interface and the monitor interface on the monitoring device to see the traffic of interest

Otherwise this can be achieved on the command line by editing the switch section of the network config file (/etc/config/network).

Update: With the newer versions of OpenWRT (v21 onwards) on some platforms they have started migrate to the new Distributed Switch Architecture (DSA) which is controlled via the Network->Interfaces config page. It can also be configured on the command line using tc command to configure the mirred action the appropriate ports.

Note: There are often limitations to port mirroring as the switch hardware in many platforms may not connect directly to all interfaces - this means that you might only be able to mirror LAN or WAN traffic. But you should be able to setup some iptables rules (as desicribed above) to redirect/mirror that remaining traffic.

Pierz
  • 2,169
3

A patch for OpenWrt to enable port mirroring on your hardware is available, though it has received only limited testing. You can, of course, apply and test it yourself.

Michael Hampton
  • 14,171