I've set up a firewall/router/access point system using FreeBSD, and I'm having problems getting a SPAN port to function properly.
The setup:
I have three wired ethernet interfaces: re0, re1, re2
I have one wireless interface: ath0
re0 is the WAN/internet port. re1 and ath0 are bridged together into bridge0 which has my LAN IP on it. re2 is a member of bridge0 as a span.
From a routing and firewall perspective, everything functions perfectly. Endpoints connecting to the network via re1 or ath0 can see and communicate with each other as if they're on the same physical network, and all endpoints can make connections through the WAN interface (re0) perfectly well.
The issue comes with the SPAN port. It's active and the sniffer box I have plugged into re2 is seeing traffic generated by the SPAN. However, it's only the traffic where the packet physically enters either ath0 or re1. If the packet is generated by the box itself on the bridge, or forwarded to the bridge from the WAN (re0) interface, the packet is not copied to the SPAN port. This results in only seeing the DNS query from an endpoint and not the answer, or the initial SYN packet of a TCP session and not the resulting SYN-ACK. Effectively, I can only see one side of internet-bound traffic.
I've verified this via tcpdump on the SPAN on the offending box, as well as looking at traffic on the sniffer system; the traffic is identical.
What am I missing? Is there a configuration option somewhere which will make sure that all packets hitting the bridge no matter the source are sent on the SPAN interface?
The setup:
I have three wired ethernet interfaces: re0, re1, re2
I have one wireless interface: ath0
re0 is the WAN/internet port. re1 and ath0 are bridged together into bridge0 which has my LAN IP on it. re2 is a member of bridge0 as a span.
From a routing and firewall perspective, everything functions perfectly. Endpoints connecting to the network via re1 or ath0 can see and communicate with each other as if they're on the same physical network, and all endpoints can make connections through the WAN interface (re0) perfectly well.
The issue comes with the SPAN port. It's active and the sniffer box I have plugged into re2 is seeing traffic generated by the SPAN. However, it's only the traffic where the packet physically enters either ath0 or re1. If the packet is generated by the box itself on the bridge, or forwarded to the bridge from the WAN (re0) interface, the packet is not copied to the SPAN port. This results in only seeing the DNS query from an endpoint and not the answer, or the initial SYN packet of a TCP session and not the resulting SYN-ACK. Effectively, I can only see one side of internet-bound traffic.
I've verified this via tcpdump on the SPAN on the offending box, as well as looking at traffic on the sniffer system; the traffic is identical.
What am I missing? Is there a configuration option somewhere which will make sure that all packets hitting the bridge no matter the source are sent on the SPAN interface?