0

My goal was to add a box between two routers I have so that I can monitor and analyze network traffic, use it as a syslog server for both routers, and mail alerts when appropriate. Although using an old repeater hub would most likely accomplish what I want easier, I've not been able to find one for purchase.

Based on tips from the Wireshark wiki, I set up a Linux box as a bridge by adding the br interface, setting eth0/1 to 0.0.0.0 ip addresses, and bringing up the interfaces anew. But I quickly realized in the process that the configuration does not give me any network interfaces I can use for the logging service, and I am not sure I can run snort or other monitoring tools against a br0 interface. I can test the latter, but before I spend time doing that:

  1. Am I missing something in my networking understanding about setting up a bridge that would in fact allow me to also assign addresses to the eth0/1 interfaces? (If I'm interpreting this stack exchange post correctly, I believe the answer is no.)
  2. If in fact I cannot configure this box to accomplish my goal while configured as a bridge, are there ways to accomplish this other than setting the box as a router?
  3. Or, is setting it up as a router overall the best approach if I cannot find a repeater hub (and I don't have a switch capable of port mirroring)?
Improve this question
2
  • 1
    1) The link to the post you refer is broken 2) you assign an IP to the bridge interface instead Commented Sep 10, 2016 at 1:02
  • Thank you. I fixed the link. I'll experiment with the IP address on the bridge. Is it a network or one of the addresses from the outside router? Commented Sep 10, 2016 at 2:09

1 Answer 1

Reset to default
1

First, you don't set eth0 & eth1 to 0.0.0.0, you instead do not assign an IP address at all. (But maybe your 0.0.0.0 is treated as no IP, not sure—never tried). You then assign an IP address to the bridge.

# ip addr ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
⋮
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master lan-br state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
3: lan-br: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.XX.XX/24 brd 192.168.XX.XX scope global lan-br
       valid_lft forever preferred_lft forever
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

# brctl show
bridge name     bridge id               STP enabled     interfaces
lan-br          8000.XXXXXXXXXXXX       no              eth0

My bridge currently only has one device on it (eth0), it exists to bridge virtual machines (and none are currently running). Yours would of course have both eth0 and eth1.

You should be able to have snort monitor br, eth0, or eth1. The traffic is flowing across all three. A quick test with tcpdump -n -i br should confirm that for you.

Improve this answer
2
  • Assigning the IP address, name servers, etc., to the bridge interface seems to be working. I'm testing the logging setup now, and it seems to be working. I was able to remove eth0/1 entries from /etc/network/interfaces and define everything in the bridge entry. Regarding question 3 above, does setting the box up as a router provide any additional benefits? I don't need another firewall (although the Airport Extreme's firewall logging appears non-existent). I have not tried ssh to the box yet either. Thanks! Commented Sep 10, 2016 at 14:04
  • 1
    @tim.rohrer I can't think of any additional benefits of setting up as a router, unless you need routing. Also, a router isn't transparent, a bridge (mostly) is. You don't have to reconfigure your network to insert a bridge. Commented Sep 10, 2016 at 16:24

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.