Hi,
I have set up an OpenBSD 5.9 machine to act as a router/firewall to selectively
forward traffic between two subnets of its interfaces vic0 and vic1:
,-----------,
vic0 ---+ forwarder +--- vic1
`-----------'
I would like to create a read-only monitoring span port vic2 that would receive
all traffic that appears on either interface:
,-----------,
vic0 -+-+ forwarder +-+- vic1
| `-----------' |
| |
`--->|--+--|<---'
|
|vic2
(In the diagram above, the ->|- elements allow traffic in one direction only,
as in "block out" pf rules.)
I have attempted to implement this using a bridge with vic0 and vic1 as members
and vic2 as the span port; however the span interface only receives a subset of
traffic because of pf filtering applied by the firewall (the bridge is
filtered). I have also tried more complex designs with per-interface bridges.
The only way I could get this to work is by creating a separate pair of
interfaces (one for each subnet) and using them in the bridge:
,-----------,
vic0 ---+ forwarder +--- vic1
`-----------'
vic3 ----->|--+--|<----- vic4
|
|vic2
Even though this method works (but causes further problems with loops), I would
like to use a simpler/idiomatic approach, which almost certainly exists.
Apart from bridge(4) I also experimented with trunk(4) using broadcast
protocol, but the trunk device did not receive all packets either (it was
mostly silent).
I am aware that I could run two instances of the monitoring application (one
for each interface), but would like to avoid that if possible.
I have researched the internet and man pages and at the moment do not have any
further ideas.
Please let me know what you think.
Thanks,
Igor
