Enable Promiscuous Mode


Recommended Posts

Hello,

 

I would like to run a Security Onion VM (Network Security Monitoring Tool), and need to set up Unraid to allow the traffic that I am mirroring to go to that VM.  I have set up the VM according to the Security Onion guide, I also have verified that my switch is correctly mirroring traffic.  I cannot get the traffic to go through the server and into a VM though.  Attached are the settings I have.  ENP3SO is the VM ip info.  ETH3 is set up to work under BR3 (server has multiple ports).  Any tips/input/fix actions would be of great help!  

 

Thank you 

bobbo489

br3.PNG

eth3.PNG

vm.PNG

Link to comment
  • 2 weeks later...
  • 2 weeks later...
9 minutes ago, imyourdaddy said:

Stupid question.... did you assign the Unraid VM it's own physical IP, and not sharing the hosts IP?

Maybe this is a stupid answer, but since they didn't mention an Unraid VM then I assume that Unraid is the host.

Link to comment

Oh, I thought he did. I read it as he has a SecurityOnion VM w/in Unraid that needs his/her network traffic mirrored to that VM. Also, I didn't mean Unraid is the VM. I meant that SO is the VM w/in Unraid.

 

Sorry for the confusing wording.

Edited by imyourdaddy
Link to comment

Hi, thanks for looking at this.  The Sensor VM of Security Onion is dual homed, 1 NIC is set to promiscuous that is supposed to receive all traffic on, the other is how I can connect and the Master Onion can connect to it.  So, it does have its own IP set for the interface that I need to talk to, while the other interface is set to Promisc so it doesn't get an IP.  

 

As for making sure the switch is mirrored.  Yep, that was my first thought when I saw nothing was going through.  I connected my laptop in place of the cable that comes from the switch to that physical interface and turned on wireshark and then watched the packets flow!  

Link to comment
  • 1 month later...
  • 2 weeks later...

So, still having the issue.  I installed tcpdump on unraid from nerdpack.  TcpDump shows data flowing to br3 (the port that is hooked up to the mirrored port from the switch).  

 

I have also tried adding BR3 to other VM's, the only data that goes through to these other VM's is the same that goes to Security Onion.  It seems that the VM Manager is dropping everything that isn't a broadcast/multicast.

Link to comment
  • 4 weeks later...
  • 4 weeks later...
  • 8 months later...
  • 2 months later...

Update 2 - I have now also come up with a way to do all this without using an entire NIC passed through to each VM.  See my post at:

 

 

Update 1 - I also solved the issue by passing through a PCIe slot as well as "half" a 4-port NIC.  Everything below is just for history in case it helps other people.

 

I also have the same problem.  The only way around this that I can think of might be to try passing through an entire dedicated capture NIC to the VM but I'd rather not have to do this because I wanted to have multiple IDS/packet-capture VMs running, all capturing from a single physical interface.  This is a huge setback for me as I completely rebuilt/upgraded this box to take over running my 24/7 VMs I had hosted on ESXi to reduce power consumption.   

 

Sorry, edited my post as I didn't read your properly and realized you've actually already done what I had thought might be the next step. 

 

Looks like someone may have solved this issue via pass through:

 

 

Edited by Hadrian_Aurelius
correction
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.