Trying to get mirroring to work

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
reinerka
DD-WRT Novice


Joined: 18 Jan 2018
Posts: 5

PostPosted: Sun Feb 04, 2018 19:58    Post subject: Trying to get mirroring to work Reply with quote
Hardware: D-Link DIR-880L
Software: DD-WRT v3.0-r34311 std (12/29/17)

I'm trying to get port mirroring to work so that I can use BirarIDS on a raspberry pi to do network monitoring.

I've gotten as far as to install opkg and the needed iptables tool but still no success getting anything to work for mirroring.

I'm now stuck at running the following command:

/opt/sbin/iptables -t mangle -A POSTROUTING -j TEE --gateway 192.168.1.<IDS>
iptables: No chain/target/match by that name.

Listing the mangle table:

/opt/sbin/iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere xxx-xxx-xxx-xxx.<some host name> MARK or 0x80000000
CONNMARK all -- anywhere anywhere CONNMARK and 0x0

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Any help is highly appreciated as DD-WRT is the only open source firwware I've found for the router and getting monitoring working is important.

If I can't get this working I'll need to buy a new router and probably will have to switch to tomato....

Thanks for all the help in advance,
Reiner
Sponsor
Wildlion
DD-WRT User


Joined: 24 May 2016
Posts: 471

PostPosted: Sun Feb 04, 2018 20:27    Post subject: Reply with quote
The stripped down version of iptables in DD-WRT does not have TEE. You will have to install entware and the full version of iptables.
reinerka
DD-WRT Novice


Joined: 18 Jan 2018
Posts: 5

PostPosted: Mon Feb 05, 2018 14:08    Post subject: Reply with quote
Wildlion wrote:
The stripped down version of iptables in DD-WRT does not have TEE. You will have to install entware and the full version of iptables.


I actually did install entware and iptables.

Reiner
Wildlion
DD-WRT User


Joined: 24 May 2016
Posts: 471

PostPosted: Tue Feb 06, 2018 2:43    Post subject: Reply with quote
Well apparently I did not read very well. Sorry about that.

from http://ipset.netfilter.org/iptables-extensions.man.html

Code:

TEE
The TEE target will clone a packet and redirect this clone to another machine on the local network segment. In other words, the nexthop must be the target, or you will have to configure the nexthop to forward it further if so desired.

--gateway ipaddr
    Send the cloned packet to the host reachable at the given IP address. Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.

To forward all incoming traffic on eth0 to an Network Layer logging box:

-t mangle -A PREROUTING -i eth0 -j TEE --gateway 2001:db8::1   


which means I think your command is set up wrong. I would do more like the example.

but say you are to clone all incoming and outgoing traffic for a pc 192.168.1.15 on your router (say, 192.168.1.1). and redirect to a spying pc 192.168.1.100, use:
Code:

 iptables -t mangle -A PREROUTING -d 192.168.1.15 -j TEE --gateway 192.168.1.100
 iptables -t mangle -A PREROUTING -s 192.168.1.15 -j TEE --gateway 192.168.1.100
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue Feb 06, 2018 3:30    Post subject: Reply with quote
FWIW, this has always worked for me on Tomato.

Code:
modprobe ipt_ROUTE

iptables -t mangle -A POSTROUTING -d $TGT_IP -j ROUTE --gw $GTW_IP --tee
iptables -t mangle -A PREROUTING  -s $TGT_IP -j ROUTE --gw $GTW_IP --tee
reinerka
DD-WRT Novice


Joined: 18 Jan 2018
Posts: 5

PostPosted: Fri Mar 02, 2018 14:47    Post subject: Reply with quote
It's been pretty quiet on this subject.

Anyone that has a good write up on getting TEE to work with DD-WRT?

From my understanding there are multiple missing pieces that prevent this:

- iptables is outdated and does not support mirroring
- kernel module for TEE is not built into DD-WRT

The above leads me to believe that even just updating iptables isn't going to work....

Anyone that has done mirroring with a recent version of DD-WRT want to chime in on how he did it? Unfortunately my router (DIR-880L) is not supported by any other open router software Embarassed

Reiner
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2905
Location: UK, London, just across the river..

PostPosted: Fri Mar 02, 2018 21:28    Post subject: Reply with quote
- iptables is outdated and does not support mirroring
- kernel module for TEE is not built into DD-WRT

correct

hmm i dont know i ve seen somewhere around someone made
success installing last version of iptables...via
entware....
sadly entware version of iptables have to be manually updated first...

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 -----DD-WRT 41328 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 -----DD-WRT 41321 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 -----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ---------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,Firewall,Local DNS,DNSCrypt v2 x2)
Broadcom
Netgear R7000 ---------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
d0ug
DD-WRT Guru


Joined: 31 Jul 2015
Posts: 760

PostPosted: Sat Mar 03, 2018 18:18    Post subject: Reply with quote
Depending on what you're trying to monitor, mirroring with iptables may not catch all traffic. It's only going to capture traffic that routes from LAN to WAN. If you are at all trying to capture LAN to LAN traffic a switch that can actually be put into port mirroring mode or something like a shark tap is what you might need

https://www.amazon.com/midBit-Technologies-LLC-100-1000/dp/B0175EODCE

https://www.amazon.com/midBit-Technologies-LLC-10-100/dp/B00DY77HHK
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum