[Bug 192756] New: SPAN port on bridge does not span packets originating locally

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Aug 17 17:28:11 UTC 2014 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192756

            Bug ID: 192756
           Summary: SPAN port on bridge does not span packets originating
                    locally
           Product: Base System
           Version: 8.3-RELEASE
          Hardware: amd64
                OS: Any
            Status: Needs Triage
          Severity: Affects Only Me
          Priority: ---
         Component: standards
          Assignee: freebsd-standards at FreeBSD.org
          Reporter: jbw at hilltopgroup.com

I have built a firewall/routing box utilizing FreeBSD (8.3-RELEASE) and need to
mirror all of the lan-side traffic before it is NATed to another box which will
have traffic analysis software running on it.

The firewall box has 4 interfaces: 3 wired (re0, re1, re2) and 1 wireless
(ath0).  

re0 is the internet port (WAN), re1 and ath0 are bridged into bridge0 which has
my LAN IP (so that both my wired and wireless systems are all on the same
physical network), and re2 is a member of bridge0 as a SPAN port.

A tcpdump on the SPAN (and on the analysis box) shows that all packets which
enter the system via ath0 and re1 are mirrored appropriately, but if the
packets originate either on the WAN  port (re1) or internal to the firewall box
(ping a LAN endpoint from the firewall shell) the packets are not present on
the SPAN port.  tcpdump on bridge0 captures the packets, so they're definitely
on the bridge.

In order to eliminate all possibilities I ran a liveCD of FreeBSD 10-RELEASE on
a different box box with 4 interfaces with em0 and em1 bridged together into
bridge0 with em3 as a SPAN port for bridge0.  Bridge0 has the IP.  No firewall,
no ports, nothing has been installed or configured.  On this box, any packets
which physically enter either em0 or em1 (the bridged interfaces) are SPANned,
but nothing that originates on the fresh box shows up on the SPAN.  Again, the
packets originating on the system show up on a tcpdump of bridge0.  I also
tested this on the same system listed here, but with the installed version of
9.0-RELEASE.


When giving the IP to one of the physical interfaces, the SPAN port works
correctly, and locally generated packets are SPANned appropriately.  

This isn't ideal as it means that if the physical interface with the IP goes
down, clients on the other interfaces will lose connectivity to the system, and
when bridging it's ideal to give the IPs to the bridge itself to protect
against that possibility.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-standards mailing list