I have a 2 NIC setup and I tried to configure Security Onion but I seem to only have broadcast traffic. Below are my interfaces and mirror scripts. Kindly lemme know what I am doing wrong and if there's a better setup I would not mind exploring as well.
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!
auto lo
iface lo inet loopback
allow-hotplug eno1
iface eno1 inet manual
up link set $IFACE up
up link set $IFACE promisc on
iface eno2 inet manual
auto enx00249b69acb0
iface enx00249b69acb0 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.1.74/24
gateway 192.168.1.1
bridge-ports eno1
bridge-ageing 0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
bridge-ageing 0
up ip link set $IFACE up
up ip link set $IFACE promisc on
#LAN
auto vmbr1
iface vmbr1 inet manual
bridge-ports enx00249b69acb0
bridge-stp off
bridge-fd 0
#WAN
auto vmbr2
iface vmbr2 inet manual
bridge-ports none
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
up ip link set $IFACE promisc on
post-up /etc/network/mirror.d/mirror-up.sh
pre-down /etc/network/mirror.d/mirror-down.sh
down ip link set $IFACE promisc off
# LAN Mirror
These are the two code files:
mirror-up.sh
Code:
#!/bin/sh
sif=vmbr0
dif=vmbr2
# ingress
tc qdisc add dev "$sif" ingress
tc filter add dev "$sif" parent ffff: \
protocol all \
u32 match u8 0 0 \
action mirred egress mirror dev "$dif"
# egress
tc qdisc add dev "$sif" handle 1: root prio
tc filter add dev "$sif" parent 1: \
protocol all \
u32 match u8 0 0 \
action mirred egress mirror dev "$dif"
mirror-down.sh
Code:
#!/bin/sh
sif=vmbr0
tc qdisc del dev $sif ingress
tc qdisc del dev $sif root
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!
auto lo
iface lo inet loopback
allow-hotplug eno1
iface eno1 inet manual
up link set $IFACE up
up link set $IFACE promisc on
iface eno2 inet manual
auto enx00249b69acb0
iface enx00249b69acb0 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.1.74/24
gateway 192.168.1.1
bridge-ports eno1
bridge-ageing 0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
bridge-ageing 0
up ip link set $IFACE up
up ip link set $IFACE promisc on
#LAN
auto vmbr1
iface vmbr1 inet manual
bridge-ports enx00249b69acb0
bridge-stp off
bridge-fd 0
#WAN
auto vmbr2
iface vmbr2 inet manual
bridge-ports none
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
up ip link set $IFACE promisc on
post-up /etc/network/mirror.d/mirror-up.sh
pre-down /etc/network/mirror.d/mirror-down.sh
down ip link set $IFACE promisc off
# LAN Mirror
These are the two code files:
mirror-up.sh
Code:
#!/bin/sh
sif=vmbr0
dif=vmbr2
# ingress
tc qdisc add dev "$sif" ingress
tc filter add dev "$sif" parent ffff: \
protocol all \
u32 match u8 0 0 \
action mirred egress mirror dev "$dif"
# egress
tc qdisc add dev "$sif" handle 1: root prio
tc filter add dev "$sif" parent 1: \
protocol all \
u32 match u8 0 0 \
action mirred egress mirror dev "$dif"
mirror-down.sh
Code:
#!/bin/sh
sif=vmbr0
tc qdisc del dev $sif ingress
tc qdisc del dev $sif root