From owner-freebsd-net@FreeBSD.ORG Tue Feb 7 16:18:35 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5895316A420 for ; Tue, 7 Feb 2006 16:18:35 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id E74F243D55 for ; Tue, 7 Feb 2006 16:18:34 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 677F55CC1; Tue, 7 Feb 2006 11:18:33 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05669-05; Tue, 7 Feb 2006 11:18:30 -0500 (EST) Received: from [192.168.1.3] (pool-68-161-67-226.ny325.east.verizon.net [68.161.67.226]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 983675CB3; Tue, 7 Feb 2006 11:18:30 -0500 (EST) Message-ID: <43E8C861.5070209@mac.com> Date: Tue, 07 Feb 2006 11:18:41 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Shawn Saunders References: In-Reply-To: X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-net@freebsd.org Subject: Re: Trying to make a Host into a gigabit hub for testing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Feb 2006 16:18:35 -0000 Shawn Saunders wrote: > The following is a layout of the type of configuration, and I have tried > one2many and hub, but was unable to obtain the desired results. Whenever I > try to set multiple hooks to the same interface it fails, and trying to > bring a group of interfaces to a virtual interface, and then take that > virtual interface out multiple different interfaces, seems to fail (I can't > even make the connection to the virtual interface to go to multiple outs.) > > I will have 11 interfaces inbound from 11 different networks. > I will have 4 outbound to 4 different IDS's and sensors. > I would like to have 11 interfaces come into a single virtual interface. > This way I could run tcpdump and/or snort on the box itself and obtain quick > info, and do validation of packet data, between the capture system and the > IDS and sensors. I would like to redirect all the traffic from that one > virtual interface to a group of 4 physical interfaces so the sensors can work > on it. What you're trying to do doesn't seem to make a lot of sense. While you can use ng_fec to channel-bond two NICs on the same subnet/collision domain for redundancy, or you could implement bridging instead, but you can't use either when the NICs are on different interfaces. Tools like tcpdump prefer to work on a per-interface basis for a reason, this is how the underlying BPF mechanism looks at things, although I believe there is a flag to listen on all interfaces (might be Linux-only?). Unless you've got remarkable hardware, you're not going to be able to fastforward eleven GB NIC's worth of traffic, much less "do validation of packet data". About the closest thing that would do what you've asked for is a Cisco PIX 535, and even that can only take nine GB interfaces (at a $40,000 pricetag, give or take). I guess you could buy two of them, though. Maybe you could get a 12-port GB managed switch with a "roving analysis" port, and configure each interface to a different VLAN, and connect your existing machine to that. Of course, if the other interfaces are busy enough, you're not going to fit all of that traffic into the analysis port. -- -Chuck