From owner-freebsd-net@FreeBSD.ORG Tue Aug 12 20:36:04 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4964CF3F for ; Tue, 12 Aug 2014 20:36:04 +0000 (UTC) Received: from equinox.hilltopgroup.com (nova.hilltopgroup.com [204.109.63.176]) by mx1.freebsd.org (Postfix) with ESMTP id 21FD42E8F for ; Tue, 12 Aug 2014 20:36:03 +0000 (UTC) Received: from igarinil.com (adsl-072-149-073-165.sip.asm.bellsouth.net [72.149.73.165]) by equinox.hilltopgroup.com (Postfix) with ESMTP id 6BA071A3C12 for ; Tue, 12 Aug 2014 20:26:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=hilltopgroup.com; s=mail; t=1407875205; x=1723123886; q=dns/txt; h=From:Subject: Date:Message-ID:Content-Type:Content-Transfer-Encoding: Content-Language; bh=5B0xyqdGqwTZ7kn8eolq6QW2ctPQiFKV2IY/Z9BZxno =; b=hiuoNBcNI8GzBt0HfxLEyGrd8GWmoHIuYNqsZppuYe9A6o2YmGTmlOe8Sve MSVjEMF7w1//qGlB/Fm4UW5Wdn6yubL59vjLFqN0Rk823uHYyD9Ivpxl9BAN9shB 3I3vq79BylL00q/9MbfouVK/u11yYGRN0AJNTFVrgtlXaVoo= Received: from ([50.167.119.14]) by oberth.igarinil.com with ESMTP with TLS id 0810B00368.10871790; Tue, 12 Aug 2014 16:26:44 -0400 From: "Joseph Ward" To: Subject: SPAN port doesn't pick up locally generated traffic Date: Tue, 12 Aug 2014 16:26:59 -0400 Message-ID: <08b701cfb66b$c4ee4820$4ecad860$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 thread-index: Ac+2a8Sb6s/uTh0eReyVjE5+ZAz03A== Content-Language: en-us X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2014 20:36:04 -0000 Hi, I have built a firewall/routing box utilizing FreeBSD and need to mirror all of the lan-side traffic before it is NATed to another box which will have traffic analysis software running on it. The firewall box has 4 interfaces: 3 wired (re0, re1, re2) and 1 wireless (ath0). re0 is the internet port (WAN), re1 and ath0 are bridged into bridge0 which has my LAN IP (so that both my wired and wireless systems are all on the same physical network), and re2 is a member of bridge0 as a SPAN port. A tcpdump on the SPAN (and on the analysis box) shows that all packets which enter the system via ath0 and re1 are mirrored appropriately, but if the packets originate either on the WAN port (re1) or internal to the firewall box (ping a LAN endpoint from the firewall shell) the packets are not present on the SPAN port. tcpdump on bridge0 captures the packets, so they're definitely on the bridge. In order to eliminate all possibilities I ran a liveCD of FreeBSD 10 on a box with 4 interfaces with em0 and em1 bridged together into bridge0 with em3 as a SPAN port for bridge0. No firewall, no ports, nothing has been installed or configured. On this box, any packets which physically enter either em0 or em1 (the bridged interfaces) are SPANned, but nothing that originates on the fresh box shows up on the SPAN. Again, the packets originating on the system show up on a tcpdump of bridge0. I'm not much of a system-level programmer, but it certainly looks as if my expected behavior is "proper" based on if_bridge.c and the comment before "bridge_output" function which definitely has a "bridge_span" call when sending unicast with locally generated traffic which is what I'm doing here. Am I missing something? A configuration variable somewhere perhaps? Or is this a bug somewhere? Any help would be greatly appreciated!