2

I'm trying to set up SO in my home network to lab and see if I can monitor all ingress/egress traffic from my SOHO router. I don't have a switch with SPAN ports, or a network tap so I'm using OpenWRT in combination w/ iptables mirroring functionality via --tee.

My management interface on my SO VM is 192.168.1.100/24. I'm using the following iptables routes, added via SSL to OpenWRT, and verified in the status -> firewall web UI.

iptables -t mangle -A PREROUTING -d 192.168.1.0/24 -j TEE --gateway 192.168.1.100

iptables -t mangle -A POSTROUTING -s 192.168.1.0/24 -j TEE --gateway 192.168.1.100

OpenWRT says that it is indeed sending traffic on the .1 subnet to .100, however when I log into the SO machine and try to trigger IDS events from another machine on the subnet, nothing flags. I tried doing tcpdump to check traffic, and I'm not seeing any foreign traffic on the VM either. All I see are just DHCP requests.

Thoughts on what I might be doing wrong here? Appreciate any assistance!

Update 1/13/18 - Resolved the issue. The wireless card was having troubles with vmware & promisc mode. Once I swapped to a cable, I was able to see all inbound traffic from other hosts in the subnet!

Community
  • 1
user1504591
  • 21
  • 4
  • Can you modify your question to verify "OpenWRT says that it is indeed sending traffic on the .1 subnet to .100" and how you are invoking tcpdump? Also, does the device perform NAT? I'm wondering if your second rule won't match if the source address is already replaced with a NAT address via MASQUERADE. Lastly, is the VM using bridged networking and does the VM have the ability to enter promiscuous mode enabled in the hypervisor? – multithr3at3d Jan 02 '18 at 15:34
  • What VM host are you using? VMWare, KVM, Xen, Virtualbox? In some you can disable traffic filtering via various methods. It seems that your host is not passing foreign traffic to your VM. – Aria Jan 02 '18 at 15:52
  • I'm calling tcpdump on the VM SO machine, and specifying my management NIC (eth0 or 1.100/24). I have a static IP assigned on my SO VM, but because I'm unable to see .1.100 in the device list from my router I suspect the SO VM is being NAT'd at the box? Also, when I said openWRT says it's passing traffic to 1.100, it's only verifying that packets are indeed being copied and sent, and not necessarily that it can see the machine. I'm using VMWare, and I'll verify the hypervisor has that option enabled. – user1504591 Jan 03 '18 at 10:22
  • Suggest you submit your resolution as an answer and accept your own answer so it's more clear to others how you fixed it! – David Jan 13 '18 at 22:55

1 Answers1

0

Update 1/13/18 - Resolved the issue. The wireless card was having troubles with vmware & promisc mode. Once I changed the medium (CAT5E), I was able to see all inbound traffic from other hosts in the subnet!

user1504591
  • 21
  • 4