Jump to content
bobbo489

Enable Promiscuous Mode

14 posts in this topic Last Reply

Recommended Posts

Hello,

 

I would like to run a Security Onion VM (Network Security Monitoring Tool), and need to set up Unraid to allow the traffic that I am mirroring to go to that VM.  I have set up the VM according to the Security Onion guide, I also have verified that my switch is correctly mirroring traffic.  I cannot get the traffic to go through the server and into a VM though.  Attached are the settings I have.  ENP3SO is the VM ip info.  ETH3 is set up to work under BR3 (server has multiple ports).  Any tips/input/fix actions would be of great help!  

 

Thank you 

bobbo489

br3.PNG

eth3.PNG

vm.PNG

Share this post


Link to post

Hi,

 

I am looking for some similar action so I can monitor network traffic on this VM. Let me know how if there is any update for same.

Share this post


Link to post
9 minutes ago, imyourdaddy said:

Stupid question.... did you assign the Unraid VM it's own physical IP, and not sharing the hosts IP?

Maybe this is a stupid answer, but since they didn't mention an Unraid VM then I assume that Unraid is the host.

Share this post


Link to post
Posted (edited)

Oh, I thought he did. I read it as he has a SecurityOnion VM w/in Unraid that needs his/her network traffic mirrored to that VM. Also, I didn't mean Unraid is the VM. I meant that SO is the VM w/in Unraid.

 

Sorry for the confusing wording.

Edited by imyourdaddy

Share this post


Link to post

eth3 (br3) is configured in promiscuous mode, it should allow all traffic to pass to the VM.

 

You are sure your switch mirrored port is copied to the port to which eth3 is connected?

 

Share this post


Link to post

Hi, thanks for looking at this.  The Sensor VM of Security Onion is dual homed, 1 NIC is set to promiscuous that is supposed to receive all traffic on, the other is how I can connect and the Master Onion can connect to it.  So, it does have its own IP set for the interface that I need to talk to, while the other interface is set to Promisc so it doesn't get an IP.  

 

As for making sure the switch is mirrored.  Yep, that was my first thought when I saw nothing was going through.  I connected my laptop in place of the cable that comes from the switch to that physical interface and turned on wireshark and then watched the packets flow!  

Share this post


Link to post
2 minutes ago, bobbo489 said:

turned on wireshark and then watched the packets flow

Any chance of using wireshark inside the VM for verification purposes?

Share this post


Link to post

yep, I used tcpdump -i enp3s0 and it is just seeing broadcast traffic coming through, it should be flying right now since I have a couple video streams and music streams going.

Share this post


Link to post

In VMware you also have to setup Vlan 4095 on the port group and vswitch to pass mirrored traffic to the VM.  I had security onion running this way before in esxi

 

i am new to unraid so I am not sure if setting the vlan for an interface is possible or not

 

Share this post


Link to post

So, still having the issue.  I installed tcpdump on unraid from nerdpack.  TcpDump shows data flowing to br3 (the port that is hooked up to the mirrored port from the switch).  

 

I have also tried adding BR3 to other VM's, the only data that goes through to these other VM's is the same that goes to Security Onion.  It seems that the VM Manager is dropping everything that isn't a broadcast/multicast.

Share this post


Link to post

I also just tried setting up VLAN's on both my USG and in the Network Settings of UnRaid....still no luck.

 

BR3 is getting the datas....but it just isn't making it into the VMs

Share this post


Link to post

did you ever get anywhere with this. Trying to do something similar and getting stuck much like you it seems... 

Share this post


Link to post

No, I did not.  I have been sidetracked the last month so I haven't been able to dig into it anymore.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.