16

I want to mirror all traffic (also VPN, WLAN, WAN) from a consumer router (TPLink WR1043ND v.1.x) to a snort sensor located in the same network, but without extra hardware! The mirroring has to be done by the router (running OpenWrt Barrier Breaker).

Mirroring the WAN port of the router would even be supported by the current firmware, but the data of this stream is useless to me, because it does not contain the internal IPs of the devices connected to the router! I want the mirrored traffic from inside the router, with all internal IPs.

So, I quickly thought about tcpdump -i any. But to my knowledge it is not possible to configure 'tcpdump' to stream the mirrored traffic directly to the snort sensor? (without generating and saving enormous pcap-files to the harddrive)?

How do I solve this?

Appendix: Would this work with using iptables --tee option mirroring all traffic? I think I would need to install this 'TEE iptables extensions' ipkg or this 'Kernel modules for TEE' ipkg from the OpenWRT repository in order to work? Would this work or do I need something else?

user3200534
  • 315
  • 1
  • 3
  • 9
  • 1
    This is a good question, and I'm curious to hear any answers. I've voted to have it moved to Superuser, though, as they're more experienced with consumer gear and alternate firmware like OpenWRT. – EEAA May 17 '14 at 02:52

3 Answers3

6

Yes iptables TEE works. I have a tplink router and I am mirroring the traffic exactly for the same reason as you.

Install all the necessary modules and packages for TEE.

Assuming your monitoring IP address is 10.1.1.205, run:

iptables -A POSTROUTING -t mangle -o br-lan ! -s 10.1.1.205 -j TEE --gateway 10.1.1.205

iptables -A PREROUTING -t mangle -i br-lan ! -d 10.1.1.205 -j TEE --gateway 10.1.1.205
AK_
  • 188
  • 1
  • 2
  • 15
Methos
  • 176
  • 3
3

It is now possible to set up port mirroring on OpenWrt via the Switch configuration. This can be done using the OpenWrt web interface (LuCI) by going to the Network->Switch menu then enabling 'Enable mirroring of incoming packets' and/or 'Enable mirroring of outgoing packets' and setting the desired interfaces (The 'Mirror source port' is where you want to mirror traffic from and the 'Mirror monitor port' is where it is mirrored to). It may also be necessary to alter VLAN settings on the switch interface and the monitor interface on the monitoring device to see the traffic of interest

Otherwise this can be achieved on the command line by editing the switch section of the network config file (/etc/config/network).

Update: With the newer versions of OpenWRT (v21 onwards) on some platforms they have started migrate to the new Distributed Switch Architecture (DSA) which is controlled via the Interfaces UI. It can also be configured on the command line using tc command to configure the mirred action the appropriate ports.

Note: There are often limitations to port mirroring as the switch hardware in many platforms may not connect directly to all interfaces - this means that you might only be able to mirror LAN or WAN traffic. But you should be able to setup some iptables rules (as desicribed above) to redirect/mirror that remaining traffic.

Pierz
  • 1,869
  • 21
  • 15
  • Network -> Switch does not exist in version 2021 – mama Nov 15 '21 at 14:39
  • In OpenWRT release 21 they have started to introduce the newer Distributed Switch Architecture (DSA) on some platforms: https://openwrt.org/releases/21.02/notes-21.02.0 - I'll update the answer. – Pierz Nov 15 '21 at 16:19
  • Thank you ! :-) – mama Nov 15 '21 at 16:21
3

A patch for OpenWrt to enable port mirroring on your hardware is available, though it has received only limited testing. You can, of course, apply and test it yourself.

Michael Hampton
  • 13,635
  • 4
  • 45
  • 76
  • I refered to this feature in my question. The problem is when mirroring the WAN port - you only get the public router IP and IP of the destination server. But I want the **internal IPs** of the clients and their exact connections to feed the snort sensor with. – user3200534 May 17 '14 at 03:32
  • If you want to mirror a different port, then you need to select that port! – Michael Hampton May 17 '14 at 03:38
  • Yes, you can choose between 1-4 LAN slots (ports). No WLan! No VPN! Only eth-ports at backside of the device or port 0 (= WAN). That is very far from **all** traffic of the router. – user3200534 May 17 '14 at 03:44
  • Hmm. I don't think you can mirror _all_ traffic. This is, after all, a function of the _hardware switch_. So you won't get WLAN traffic, for instance, or traffic on virtual interfaces. Someone else in a similar situation may find this useful, though. – Michael Hampton May 17 '14 at 07:09
  • can you share details how would you apply this patch? – AK_ Nov 10 '18 at 20:30
  • @AK_ You wouldn't apply this patch. It is already present in current releases of OpenWrt since Chaos Calmer. – Michael Hampton Nov 10 '18 at 22:38
  • @MichaelHampton so basically we can do this by modifying the config files (no need for iptables); can you maybe update your answer and shade some lights on how to do this? – AK_ Nov 12 '18 at 09:53