[SOLVED] Issues passing Traffic to network sensor

G

gfreter

New Member
Proxmox Subscriber
Jan 6, 2023
6
0
1
I have an IDS stood up inside of proxmox. I am attempting to use the monitor port on the sensor connected to a bridge shared by a few containers chatting accross vmbr1 and vmbr2. I am hoping to sit the monitor port on vmbr2 to see all traffic that should be crossing vmbr2.

However vmbr2 does not seem to see the same traffic that the physical adapter (eno1) sees. Below is a rough diagram of the layout, my network config and my tcpdump results to demonstrate how traffic is seen on eno1 but it is not passed to vmbr2 for some reason. Any recommendations for how i can forward traffic from eno1 to vmbr2?

Diagram:



TCP dump results:

Code: 
# tcpdump -i vmbr2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vmbr2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:29:47.138308 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e0:46:ee:1f:9c:01.8006, length 36
11:29:47.896185 ARP, Request who-has 1.1.1.1 tell 2.2.2.2, length 46
11:29:48.903311 ARP, Request who-has 1.1.1.1 tell 2.2.2.2, length 46
11:29:49.137879 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e0:46:ee:1f:9c:01.8006, length 36
11:29:49.927284 ARP, Request who-has 1.1.1.1 tell 2.2.2.2, length 46
11:29:50.951257 ARP, Request who-has 1.1.1.1 tell 2.2.2.2, length 46
11:29:51.138145 STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e0:46:ee:1f:9c:01.8006, length 36

# tcpdump -i eno1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:29:39.844457 IP 10.10.0.9.39522 > 10.10.1.11.502: Flags [S], seq 756577353, win 64240, options [mss 1460,sackOK,TS val 3169306829 ecr 0,nop,wscale 7], length 0
11:29:39.844589 IP 10.10.1.11.502 > 10.10.0.9.39522: Flags [S.], seq 3953533304, ack 756577354, win 65160, options [mss 1460,sackOK,TS val 327632761 ecr 3169306829,nop,wscale 7], length 0
11:29:39.845027 IP 10.10.0.9.39522 > 10.10.1.11.502: Flags [.], ack 1, win 502, options [nop,nop,TS val 3169306829 ecr 327632761], length 0
11:29:39.845228 IP 10.10.0.9.39522 > 10.10.1.11.502: Flags [P.], seq 1:13, ack 1, win 502, options [nop,nop,TS val 3169306829 ecr 327632761], length 12
11:29:39.845268 IP 10.10.1.11.502 > 10.10.0.9.39522: Flags [.], ack 13, win 509, options [nop,nop,TS val 327632762 ecr 3169306829], length 0
11:29:39.845345 IP 10.10.1.11.502 > 10.10.0.9.39522: Flags [P.], seq 1:30, ack 13, win 509, options [nop,nop,TS val 327632762 ecr 3169306829], length 29
11:29:39.845639 IP 10.10.0.9.39522 > 10.10.1.11.502: Flags [.], ack 30, win 502, options [nop,nop,TS val 3169306830 ecr 327632762], length 0
11:29:39.845647 IP 10.10.0.9.39522 > 10.10.1.11.502: Flags [F.], seq 13, ack 30, win 502, options [nop,nop,TS val 3169306830 ecr 327632762], length 0
11:29:39.845809 IP 10.10.1.11.502 > 10.10.0.9.39522: Flags [F.], seq 30, ack 14, win 509, options [nop,nop,TS val 327632762 ecr 3169306830], length 0
11:29:39.846158 IP 10.10.0.9.39522 > 10.10.1.11.502: Flags [.], ack 31, win 502, options [nop,nop,TS val 3169306830 ecr 327632762], length 0

Network Config:

Code: 
auto lo
iface lo inet loopback

auto enx00249b7457e9
iface enx00249b7457e9 inet manual

auto enp3s0
iface enp3s0 inet manual

auto eno1
iface eno1 inet manual
        up ip link set $IFACE promisc on

auto vmbr0
iface vmbr0 inet static
        bridge-ports enx00249b7457e9
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet manual
        bridge-ports enp3s0
        bridge-stp off
        bridge-fd 0

auto vmbr2
iface vmbr2 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        bridge-ageing 0
        up ip link set $IFACE promisc on
        post-up /etc/network/mirror-up.sh

mirror.sh
Code: 
#!/bin/sh
sif=eno1
dif=vmbr2

# ingress
tc qdisc add dev "$sif" ingress
tc filter add dev "$sif" parent ffff: \
        protocol all \
        u32 match u8 0 0 \
        action mirred egress mirror dev "$dif"

# egress
tc qdisc add dev "$sif" handle 1: root prio
tc filter add dev "$sif" parent 1: \
        protocol all \
        u32 match u8 0 0 \
        action mirred egress mirror dev "$dif"
 
solved by adding vlan aware to the vmbr2, there was no need for the monitor script.

below is the working network interface config

Code: 
auto lo
iface lo inet loopback

auto enx00249b7457e9
iface enx00249b7457e9 inet manual

auto enp3s0
iface enp3s0 inet manual

auto eno1
iface eno1 inet manual
        up ip link set $IFACE promisc on

auto vmbr0
iface vmbr0 inet static
        bridge-ports enx00249b7457e9
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr1
iface vmbr1 inet manual
        bridge-ports enp3s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr2
iface vmbr2 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
        bridge-ageing 0
        up ip link set $IFACE promisc on
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom