April 20, 20197 yr Hello, I would like to run a Security Onion VM (Network Security Monitoring Tool), and need to set up Unraid to allow the traffic that I am mirroring to go to that VM. I have set up the VM according to the Security Onion guide, I also have verified that my switch is correctly mirroring traffic. I cannot get the traffic to go through the server and into a VM though. Attached are the settings I have. ENP3SO is the VM ip info. ETH3 is set up to work under BR3 (server has multiple ports). Any tips/input/fix actions would be of great help! Thank you bobbo489
April 29, 20197 yr Hi, I am looking for some similar action so I can monitor network traffic on this VM. Let me know how if there is any update for same.
May 11, 20197 yr Stupid question.... did you assign the Unraid VM it's own physical IP, and not sharing the hosts IP?
May 11, 20197 yr Community Expert 9 minutes ago, imyourdaddy said: Stupid question.... did you assign the Unraid VM it's own physical IP, and not sharing the hosts IP? Maybe this is a stupid answer, but since they didn't mention an Unraid VM then I assume that Unraid is the host.
May 11, 20197 yr Oh, I thought he did. I read it as he has a SecurityOnion VM w/in Unraid that needs his/her network traffic mirrored to that VM. Also, I didn't mean Unraid is the VM. I meant that SO is the VM w/in Unraid. Sorry for the confusing wording. Edited May 11, 20197 yr by imyourdaddy
May 11, 20197 yr eth3 (br3) is configured in promiscuous mode, it should allow all traffic to pass to the VM. You are sure your switch mirrored port is copied to the port to which eth3 is connected?
May 11, 20197 yr Author Hi, thanks for looking at this. The Sensor VM of Security Onion is dual homed, 1 NIC is set to promiscuous that is supposed to receive all traffic on, the other is how I can connect and the Master Onion can connect to it. So, it does have its own IP set for the interface that I need to talk to, while the other interface is set to Promisc so it doesn't get an IP. As for making sure the switch is mirrored. Yep, that was my first thought when I saw nothing was going through. I connected my laptop in place of the cable that comes from the switch to that physical interface and turned on wireshark and then watched the packets flow!
May 11, 20197 yr 2 minutes ago, bobbo489 said: turned on wireshark and then watched the packets flow Any chance of using wireshark inside the VM for verification purposes?
May 11, 20197 yr Author yep, I used tcpdump -i enp3s0 and it is just seeing broadcast traffic coming through, it should be flying right now since I have a couple video streams and music streams going.
June 12, 20197 yr In VMware you also have to setup Vlan 4095 on the port group and vswitch to pass mirrored traffic to the VM. I had security onion running this way before in esxi i am new to unraid so I am not sure if setting the vlan for an interface is possible or not
June 23, 20197 yr Author So, still having the issue. I installed tcpdump on unraid from nerdpack. TcpDump shows data flowing to br3 (the port that is hooked up to the mirrored port from the switch). I have also tried adding BR3 to other VM's, the only data that goes through to these other VM's is the same that goes to Security Onion. It seems that the VM Manager is dropping everything that isn't a broadcast/multicast.
June 23, 20197 yr Author I also just tried setting up VLAN's on both my USG and in the Network Settings of UnRaid....still no luck. BR3 is getting the datas....but it just isn't making it into the VMs
July 18, 20196 yr did you ever get anywhere with this. Trying to do something similar and getting stuck much like you it seems...
August 14, 20196 yr Author No, I did not. I have been sidetracked the last month so I haven't been able to dig into it anymore.
April 15, 20206 yr I have a similar setup, same problem; the NIC I have forwarded to the VM via VFIO-PCI doesn't see anything but broadcast traffic - not the traffic I have forwarded to it using the span port in my switch. Did anyone have a solution to this? @bobbo489 @blutak @Inderjeet Thanks! /k
July 4, 20206 yr Update 2 - I have now also come up with a way to do all this without using an entire NIC passed through to each VM. See my post at: Update 1 - I also solved the issue by passing through a PCIe slot as well as "half" a 4-port NIC. Everything below is just for history in case it helps other people. I also have the same problem. The only way around this that I can think of might be to try passing through an entire dedicated capture NIC to the VM but I'd rather not have to do this because I wanted to have multiple IDS/packet-capture VMs running, all capturing from a single physical interface. This is a huge setback for me as I completely rebuilt/upgraded this box to take over running my 24/7 VMs I had hosted on ESXi to reduce power consumption. Sorry, edited my post as I didn't read your properly and realized you've actually already done what I had thought might be the next step. Looks like someone may have solved this issue via pass through: Edited August 6, 20205 yr by Hadrian_Aurelius correction
Archived
This topic is now archived and is closed to further replies.