Trying to make a Host into a gigabit hub for testing
Shawn Saunders
saundersconsult at hotmail.com
Tue Feb 7 07:38:20 PST 2006
Hello,
Based on the below configuration, does anyone have an idea of what I might
be doing wrong?
The following is a layout of the type of configuration, and I have tried
one2many and hub, but was unable to obtain the desired results. Whenever I
try to set multiple hooks to the same interface it fails, and trying to
bring a group of interfaces to a virtual interface, and then take that
virtual interface out multiple different interfaces, seems to fail (I can't
even make the connection to the virtual interface to go to multiple outs.)
I will have 11 interfaces inbound from 11 different networks.
I will have 4 outbound to 4 different IDS's and sensors.
I would like to have 11 interfaces come into a single virtual interface.
This way I could run tcpdump and/or snort on the box itself and obtain quick
info, and do validation of packet data, between the capture system and the
IDS and sensors.
I would like to redirect all the traffic from that one virtual interface to
a group of 4 physical interfaces so the sensors can work on it.
Here is a configuration I tried. Any comments or suggestions are
appreciated.
This initial script, only takes 3 input interfaces into a single virtual
interface. This works.
Then when I try to take that virtual interface and echo it out multiple
interfaces, it fails.
#!/bin/sh
# Initialize and bring up all interfaces
for i in 0 1 2 3 4 5 6 7 8 9 10 11
do /sbin/ifconfig em$i up
done
for g in 0 1
do /sbin/ifconfig bge$g up
done
/sbin/ifconfig fxp0 up
# Load needed kernel modules
/sbin/kldload /boot/kernel/ng_ether.ko
/sbin/kldload /boot/kernel/ng_one2many.ko
/sbin/kldload /boot/kernel/ng_fec.ko
# Create Virtual Interface
/usr/sbin/ngctl mkpeer fec dummy fec
# Bind physical input interfaces to virtual interface
/usr/sbin/ngctl msg fec0: add_iface '"em0"'
/usr/sbin/ngctl msg fec0: add_iface '"em1"'
/usr/sbin/ngctl msg fec0: add_iface '"em2"'
# Set forwarding mode to mac address layer.
/usr/sbin/ngctl msg fec0: set_mode_mac
# Configure the virtual interface to deliver packets out the others
ngctl mkpeer fec0: one2many upper one
ngctl name fec0:upper secur
ngctl connect bge0: secur: upper many0
ngctl connect bge1: secur: upper many1
ngctl msg secur: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
# Set all interfaces Promisc mode and turn off autosrc routing
for s in 0 1 2 3 4 5 6 7 8 9 10 11
do /usr/sbin/ngctl msg em$s: setpromisc 1
/usr/sbin/ngctl msg em$s: setautosrc 0
done
for t in 0 1
do /usr/sbin/ngctl msg bge$t: setpromisc 1
/usr/sbin/ngctl msg bge$t: setautosrc 0
done
#EOF
Before sending 3 pings accross em2:
gigihub# netstat -I bge0 ; netstat -I bge1 ; netstat -I fec0 ; netstat -I
em2
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
bge0 1500 00:e0:81:32:f4:52 0 0 5
0 0
bge0 1500 fe80:b::2e0:8 fe80:b::2e0:81ff: 0 - 4 -
-
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
bge1 1500 00:e0:81:32:f4:53 0 0 0
0 0
bge1 1500 fe80:c::2e0:8 fe80:c::2e0:81ff: 0 - 4 -
-
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
fec0* 1500 00:04:23:c1:0e:50 11 0 0
0 0
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
em2 1500 00:04:23:c1:0e:50 41 0 5 0
0
em2 1500 fe80:5::204:2 fe80:5::204:23ff: 0 - 4 -
-
After sending 3 pings accross em2:
gigihub# netstat -I bge0 ; netstat -I bge1 ; netstat -I fec0 ; netstat -I
em2
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
bge0 1500 00:e0:81:32:f4:52 0 0 5 0
0
bge0 1500 fe80:b::2e0:8 fe80:b::2e0:81ff: 0 - 4 -
-
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
bge1 1500 00:e0:81:32:f4:53 0 0 0
0 0
bge1 1500 fe80:c::2e0:8 fe80:c::2e0:81ff: 0 - 4 -
-
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
fec0* 1500 00:04:23:c1:0e:50 15 0 0 0
0
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
em2 1500 00:04:23:c1:0e:50 45 0 5 0
0
em2 1500 fe80:5::204:2 fe80:5::204:23ff: 0 - 4 -
-
Shawn Saunders
More information about the freebsd-net
mailing list