From owner-freebsd-net@FreeBSD.ORG Thu Feb 2 17:28:17 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBB9616A420 for ; Thu, 2 Feb 2006 17:28:17 +0000 (GMT) (envelope-from saundersconsult@hotmail.com) Received: from hotmail.com (bay115-f27.bay115.hotmail.com [65.54.250.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A8F943D60 for ; Thu, 2 Feb 2006 17:28:13 +0000 (GMT) (envelope-from saundersconsult@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 2 Feb 2006 09:28:13 -0800 Message-ID: Received: from 65.54.250.200 by by115fd.bay115.hotmail.msn.com with HTTP; Thu, 02 Feb 2006 17:28:12 GMT X-Originating-IP: [64.60.108.59] X-Originating-Email: [saundersconsult@hotmail.com] X-Sender: saundersconsult@hotmail.com From: "Shawn Saunders" To: freebsd-net@freebsd.org Date: Thu, 02 Feb 2006 17:28:12 +0000 X-Priority: 1 Importance: High Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 02 Feb 2006 17:28:13.0058 (UTC) FILETIME=[0B504E20:01C6281E] Cc: dionch@freemail.gr Subject: Re: Trying to make a Host into a gigabit hub for testing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2006 17:28:17 -0000 Chris and others, This is an update on the configuration you helped me with several months ago. I don't have the specific numbers but approximates, as the machines were being reset weekly, because of reconfigurations in the IDS's. So the port statistics were also reset to provide accuracy as ethernet connections went up and down upon the IDS's reset. Based upon a configuration, of two networks in with each having 4 ports out (using one2many). All ports being Gigibit ethernet on PCI-X bus, Intel Cards, and Opteron Server with 8 GB RAM. Network 1: Approximately 5 million to 7 million alerts per day, as registered by both snort, and ISS. Alerts generated against a group of both virtual and real machines (approximately 200). Approximately 18 million packets per day. We had customized alert rules to obtain the alert load necessary for our testing protocol. Less than 1% packet loss between interfaces. There were a couple weeks where it made it to almost 2%, but that was when we had up to 30 million packets per day over our networks. Now this is only counting the packet losses over the netgraph interfaces, not what may have happened on the overburdened networks themselves. We used various tools and customizations, such as Nmap, hping, nessus, ftp, http and smtp with cron, on both windows and *nix systems to generate a cross-section of simulated traffic. Hope this was helpful. Now we are performing a new test, and the requirements have changed. I am having difficulty as one2many will not perform what I need. The following is a layout of the type of configuration, and I have tried one2many and hub, but was unable to obtain the desired results. Whenever I try to set multiple hooks to the same interface it fails, and trying to bring a group of interfaces to a virtual interface, and then take that virtual interface out multiple different interfaces, seems to fail (I can't even make the connection to the virtual interface to go to multiple outs.) I will have 11 interfaces inbound from 11 different networks. I will have 4 outbound to 4 different IDS's and sensors. I would like to have 11 interfaces come into a single virtual interface. This way I could run tcpdump and/or snort on the box itself and obtain quick info, and do validation of packet data, between the capture system and the IDS and sensors. I would like to redirect all the traffic from that one virtual interface to a group of 4 physical interfaces so the sensors can work on it. Here is a configuration I tried. Any comments or suggestions are appreciated. This initial script, only takes 3 input interfaces into a single virtual interface. This works. Then when I try to take that virtual interface and echo it out multiple interfaces, it fails. #!/bin/sh # Initialize and bring up all interfaces for i in 0 1 2 3 4 5 6 7 8 9 10 11 do /sbin/ifconfig em$i up done for g in 0 1 do /sbin/ifconfig bge$g up done /sbin/ifconfig fxp0 up # Load needed kernel modules /sbin/kldload /boot/kernel/ng_ether.ko /sbin/kldload /boot/kernel/ng_one2many.ko /sbin/kldload /boot/kernel/ng_fec.ko # Create Virtual Interface /usr/sbin/ngctl mkpeer fec dummy fec # Bind physical input interfaces to virtual interface /usr/sbin/ngctl msg fec0: add_iface '"em0"' /usr/sbin/ngctl msg fec0: add_iface '"em1"' /usr/sbin/ngctl msg fec0: add_iface '"em2"' # Set forwarding mode to mac address layer. /usr/sbin/ngctl msg fec0: set_mode_mac # Configure the virtual interface to deliver packets out the others ngctl mkpeer fec0: one2many upper one ngctl name fec0:upper secur ngctl connect bge0: secur: upper many0 ngctl connect bge1: secur: upper many1 ngctl msg secur: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }" # Set all interfaces Promisc mode and turn off autosrc routing for s in 0 1 2 3 4 5 6 7 8 9 10 11 do /usr/sbin/ngctl msg em$s: setpromisc 1 /usr/sbin/ngctl msg em$s: setautosrc 0 done for t in 0 1 do /usr/sbin/ngctl msg bge$t: setpromisc 1 /usr/sbin/ngctl msg bge$t: setautosrc 0 done #EOF Before sending 3 pings accross em2: gigihub# netstat -I bge0 ; netstat -I bge1 ; netstat -I fec0 ; netstat -I em2 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll bge0 1500 00:e0:81:32:f4:52 0 0 5 0 0 bge0 1500 fe80:b::2e0:8 fe80:b::2e0:81ff: 0 - 4 - - Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll bge1 1500 00:e0:81:32:f4:53 0 0 0 0 0 bge1 1500 fe80:c::2e0:8 fe80:c::2e0:81ff: 0 - 4 - - Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll fec0* 1500 00:04:23:c1:0e:50 11 0 0 0 0 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll em2 1500 00:04:23:c1:0e:50 41 0 5 0 0 em2 1500 fe80:5::204:2 fe80:5::204:23ff: 0 - 4 - - After sending 3 pings accross em2: gigihub# netstat -I bge0 ; netstat -I bge1 ; netstat -I fec0 ; netstat -I em2 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll bge0 1500 00:e0:81:32:f4:52 0 0 5 0 0 bge0 1500 fe80:b::2e0:8 fe80:b::2e0:81ff: 0 - 4 - - Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll bge1 1500 00:e0:81:32:f4:53 0 0 0 0 0 bge1 1500 fe80:c::2e0:8 fe80:c::2e0:81ff: 0 - 4 - - Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll fec0* 1500 00:04:23:c1:0e:50 15 0 0 0 0 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll em2 1500 00:04:23:c1:0e:50 45 0 5 0 0 em2 1500 fe80:5::204:2 fe80:5::204:23ff: 0 - 4 - - Shawn Saunders >From: Chris Dionissopoulos Reply-To: dionch@freemail.gr To: Shawn Saunders >Subject: Re: Trying to make a Host into a gigabit hub for testing Date: >Fri, 21 Oct 2005 03:49:31 +0300 > >Great news!! It was just a thought that might work, and this shcema of >ng_one2many is undocumented (google included). > >If is not difficult for you, could you provide the list with some real life >benchmarks? > >Chris. > > >Shawn Saunders wrote: > >>Chris, >> >>Ignore the last note. It is working, with the correction you gave me >>below. Working Great. >> >>Thanks for all your help. >> >>Shawn > > >____________________________________________________________________ >http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. >http://www.freemail.gr - free email service for the Greek-speaking.