VLAN passthrough to ids VM

[wolfini]

Hi everyone,


I’m pretty new to Proxmox and I'm trying to get full VLAN-tagged traffic into a VM for IDS purposes. Here’s what I’ve done so far:

• I have an Aruba switch mirroring all VLAN traffic to a specific port.
• That mirror port is physically connected to my Proxmox host.
• If I run tcpdump directly on the Proxmox host, I can see all VLAN-tagged traffic from various VLANs (0x8100, etc.).

Now the problem:
I want to pass this raw mirrored traffic directly into my IDS VM without PVE stripping any VLAN tags.

I created a dedicated bridge for the ids vm, here is my /etc/network/interfaces:
auto eno5
iface eno5 inet manual

auto eno6
iface eno6 inet manual

auto eno7
iface eno7 inet static
address 10.10.215.4/24
gateway 10.10.215.254

auto eno8
iface eno8 inet manual

auto bond0
iface bond0 inet manual
bond-slaves eno5 eno6
bond-miimon 100
bond-mode 802.3ad

auto vmbr0
iface vmbr0 inet manual
bridge-ports bond0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

auto vmbrsniff
iface vmbrsniff inet manual
bridge-ports eno8
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094


The VM's network interface has no VLAN tag assigned, yet inside the VM I only see broadcast traffic no unicast or tagged packets appear.

I would really appreciate any help from the community.


Thanks in advance!

 

[shanreich]

For such setups it might be easiest to do a PCI passthrough of the network device tot he VM that should receive the mirrored traffic.

 

[wolfini]

For such setups it might be easiest to do a PCI passthrough of the network device tot he VM that should receive the mirrored traffic.

Thank you so much for this hint, it finally works now, I just did a PCI passthrough and the full traffic of the physical interface gets into my vom