IpTables Port Mirroring WRT310n

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
senica
DD-WRT Novice


Joined: 13 Jul 2009
Posts: 21

PostPosted: Mon Mar 15, 2010 4:27    Post subject: IpTables Port Mirroring WRT310n Reply with quote
Can someone confirm that the --tee command works on the wrt310n router?

I have tried the following commands:
Code:

iptables -t mangle -A POSTROUTING -d 192.168.3.136 -j ROUTE --tee --gw 192.168.3.144
iptables -t mangle -A PREROUTING -s 192.168.3.136 -j ROUTE --tee --gw 192.168.3.144


And when I run iptables -L -t mangle I can see that entries there. They look like this:

Code:

root@DD-WRT:~# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ROUTE      0    --  192.168.3.136        anywhere            ROUTE gw:192.168.3.144 tee

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ROUTE      0    --  anywhere             192.168.3.136       ROUTE gw:192.168.3.144 tee



But when I run wireshark on 3.144 I get no packets from 136).

Is there something else I need to do? I read somewhere about loading something with a firewall script?

What am I doing wrong? I just need to monitor all traffic from 136 via a computer at 144.

[/code]
Sponsor
senica
DD-WRT Novice


Joined: 13 Jul 2009
Posts: 21

PostPosted: Mon Mar 15, 2010 15:51    Post subject: Reply with quote
bump

anyone?
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Mon Mar 15, 2010 17:26    Post subject: Reply with quote
The iptables output shows no traffic has matched the rule. Are you trying to monitor LAN-LAN traffic, if so then you would need to use VLAN's to make the router see the traffic but 310n doesn't support VLAN's... Otherwise make sure that 192.168.3.136 is generating traffic and then check the iptables counters to see that there has been traffic.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
senica
DD-WRT Novice


Joined: 13 Jul 2009
Posts: 21

PostPosted: Mon Mar 15, 2010 18:31    Post subject: Reply with quote
When you said LAN-to-LAN, I'm not sure if you meant separate lans. But anyways, it was two devices behind the same router. Not separate lans.

I finally made it easy on myself and went and bought a hub to monitor the traffic.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Mon Mar 15, 2010 21:44    Post subject: Reply with quote
LAN-LAN traffic is switched so it's never even seen by the router's software. Good thing you bought a hub.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum