bobbo489 Posted April 20, 2019 Share Posted April 20, 2019 Hello, I would like to run a Security Onion VM (Network Security Monitoring Tool), and need to set up Unraid to allow the traffic that I am mirroring to go to that VM. I have set up the VM according to the Security Onion guide, I also have verified that my switch is correctly mirroring traffic. I cannot get the traffic to go through the server and into a VM though. Attached are the settings I have. ENP3SO is the VM ip info. ETH3 is set up to work under BR3 (server has multiple ports). Any tips/input/fix actions would be of great help! Thank you bobbo489 Quote Link to comment
Inderjeet Posted April 29, 2019 Share Posted April 29, 2019 Hi, I am looking for some similar action so I can monitor network traffic on this VM. Let me know how if there is any update for same. Quote Link to comment
imyourdaddy Posted May 11, 2019 Share Posted May 11, 2019 Stupid question.... did you assign the Unraid VM it's own physical IP, and not sharing the hosts IP? Quote Link to comment
trurl Posted May 11, 2019 Share Posted May 11, 2019 9 minutes ago, imyourdaddy said: Stupid question.... did you assign the Unraid VM it's own physical IP, and not sharing the hosts IP? Maybe this is a stupid answer, but since they didn't mention an Unraid VM then I assume that Unraid is the host. Quote Link to comment
imyourdaddy Posted May 11, 2019 Share Posted May 11, 2019 (edited) Oh, I thought he did. I read it as he has a SecurityOnion VM w/in Unraid that needs his/her network traffic mirrored to that VM. Also, I didn't mean Unraid is the VM. I meant that SO is the VM w/in Unraid. Sorry for the confusing wording. Edited May 11, 2019 by imyourdaddy Quote Link to comment
bonienl Posted May 11, 2019 Share Posted May 11, 2019 eth3 (br3) is configured in promiscuous mode, it should allow all traffic to pass to the VM. You are sure your switch mirrored port is copied to the port to which eth3 is connected? Quote Link to comment
bobbo489 Posted May 11, 2019 Author Share Posted May 11, 2019 Hi, thanks for looking at this. The Sensor VM of Security Onion is dual homed, 1 NIC is set to promiscuous that is supposed to receive all traffic on, the other is how I can connect and the Master Onion can connect to it. So, it does have its own IP set for the interface that I need to talk to, while the other interface is set to Promisc so it doesn't get an IP. As for making sure the switch is mirrored. Yep, that was my first thought when I saw nothing was going through. I connected my laptop in place of the cable that comes from the switch to that physical interface and turned on wireshark and then watched the packets flow! Quote Link to comment
bonienl Posted May 11, 2019 Share Posted May 11, 2019 2 minutes ago, bobbo489 said: turned on wireshark and then watched the packets flow Any chance of using wireshark inside the VM for verification purposes? Quote Link to comment
bobbo489 Posted May 11, 2019 Author Share Posted May 11, 2019 yep, I used tcpdump -i enp3s0 and it is just seeing broadcast traffic coming through, it should be flying right now since I have a couple video streams and music streams going. Quote Link to comment
ramraid62 Posted June 12, 2019 Share Posted June 12, 2019 In VMware you also have to setup Vlan 4095 on the port group and vswitch to pass mirrored traffic to the VM. I had security onion running this way before in esxi i am new to unraid so I am not sure if setting the vlan for an interface is possible or not Quote Link to comment
bobbo489 Posted June 23, 2019 Author Share Posted June 23, 2019 So, still having the issue. I installed tcpdump on unraid from nerdpack. TcpDump shows data flowing to br3 (the port that is hooked up to the mirrored port from the switch). I have also tried adding BR3 to other VM's, the only data that goes through to these other VM's is the same that goes to Security Onion. It seems that the VM Manager is dropping everything that isn't a broadcast/multicast. Quote Link to comment
bobbo489 Posted June 23, 2019 Author Share Posted June 23, 2019 I also just tried setting up VLAN's on both my USG and in the Network Settings of UnRaid....still no luck. BR3 is getting the datas....but it just isn't making it into the VMs Quote Link to comment
blutak Posted July 18, 2019 Share Posted July 18, 2019 did you ever get anywhere with this. Trying to do something similar and getting stuck much like you it seems... Quote Link to comment
bobbo489 Posted August 14, 2019 Author Share Posted August 14, 2019 No, I did not. I have been sidetracked the last month so I haven't been able to dig into it anymore. Quote Link to comment
klausagnoletti Posted April 15, 2020 Share Posted April 15, 2020 I have a similar setup, same problem; the NIC I have forwarded to the VM via VFIO-PCI doesn't see anything but broadcast traffic - not the traffic I have forwarded to it using the span port in my switch. Did anyone have a solution to this? @bobbo489 @blutak @Inderjeet Thanks! /k Quote Link to comment
Hadrian_Aurelius Posted July 4, 2020 Share Posted July 4, 2020 (edited) Update 2 - I have now also come up with a way to do all this without using an entire NIC passed through to each VM. See my post at: Update 1 - I also solved the issue by passing through a PCIe slot as well as "half" a 4-port NIC. Everything below is just for history in case it helps other people. I also have the same problem. The only way around this that I can think of might be to try passing through an entire dedicated capture NIC to the VM but I'd rather not have to do this because I wanted to have multiple IDS/packet-capture VMs running, all capturing from a single physical interface. This is a huge setback for me as I completely rebuilt/upgraded this box to take over running my 24/7 VMs I had hosted on ESXi to reduce power consumption. Sorry, edited my post as I didn't read your properly and realized you've actually already done what I had thought might be the next step. Looks like someone may have solved this issue via pass through: Edited August 6, 2020 by Hadrian_Aurelius correction Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.