Hi guys,
this is the scenario: There is a nice network with lots of clients, servers, switches and finally a core switch with a connection to the firewall / internet. On the core switch is a port mirror which transfers all the traffic to the firewall to a server on an extra NIC.
Now the idea is to have Proxmox running on that server because we will not only using an IDS for network traffic inspection but also additional applications which will require their own VMs. So I would like to use Promox and have the IDS in its own VM (Suricata 7 on Ubuntu).
So the proxmox installation currently has 2 active NICs and 2 bridges:
The port mirror sends its data to eno2. If I run tcpdump -i vmbr1 I see the data in the pve node:
(IP 10.13.13.100 is a different server which requested data from the website 105.89.154.104)
Now is the big question: How can I configure Proxmox so all the data the bridge sees (thanks to promisc mode) is being transfered to my IDS VM and I can run tcpdump -i ens19 on my VM and see the same?
I tried a lot of things. The obvious idea was to simply connect vmbr1 to a NIC in the VM and run the NIC (net1) in promisc mode:
tcpdump -i ens19 in the VM only shows some bridge stuff:
So I went further and tried... lots of stuff. Iptables forwarding for example:
tap100i1 is also in promisc mode. Didnt work.
Tried to connect the vmbr bridge with the NIC using veth - didnt work.
I even went so far to use a python script which should transfer all data via raw socket - didnt work.
I could simply run Suricata 7 in the pve node itself, I tested that and it works. But surely there is another way? Any help is much appreciated.
this is the scenario: There is a nice network with lots of clients, servers, switches and finally a core switch with a connection to the firewall / internet. On the core switch is a port mirror which transfers all the traffic to the firewall to a server on an extra NIC.
Now the idea is to have Proxmox running on that server because we will not only using an IDS for network traffic inspection but also additional applications which will require their own VMs. So I would like to use Promox and have the IDS in its own VM (Suricata 7 on Ubuntu).
So the proxmox installation currently has 2 active NICs and 2 bridges:
The port mirror sends its data to eno2. If I run tcpdump -i vmbr1 I see the data in the pve node:
(IP 10.13.13.100 is a different server which requested data from the website 105.89.154.104)
Now is the big question: How can I configure Proxmox so all the data the bridge sees (thanks to promisc mode) is being transfered to my IDS VM and I can run tcpdump -i ens19 on my VM and see the same?
I tried a lot of things. The obvious idea was to simply connect vmbr1 to a NIC in the VM and run the NIC (net1) in promisc mode:
tcpdump -i ens19 in the VM only shows some bridge stuff:
So I went further and tried... lots of stuff. Iptables forwarding for example:
tap100i1 is also in promisc mode. Didnt work.
Tried to connect the vmbr bridge with the NIC using veth - didnt work.
I even went so far to use a python script which should transfer all data via raw socket - didnt work.
I could simply run Suricata 7 in the pve node itself, I tested that and it works. But surely there is another way? Any help is much appreciated.
