1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do I setup port mirroring on Tomato firmware?

Discussion in 'Tomato Firmware' started by bobross, May 1, 2013.

  1. bobross

    bobross Reformed Router Member

  2. PBandJ

    PBandJ Networkin' Nut Member

  3. bobross

    bobross Reformed Router Member

    I don't know anything about command line stuff or what an IP table is. Could you give me a short example? A list of Google hits that are asking the same thing does not really help much.

    Why would stock firmware be a simple drop down but Tomato will require some script?
     
  4. darkknight93

    darkknight93 Networkin' Nut Member

    iptables is a tool to perofm different Routing of IP Packets - so it works on ISO Layer 3.

    With iptables its possible to drop or reject specific ip packets, reroute them or create other layer 3 based stuff.


    iptables is included in every mod (Toastman, TomatoUSB, Shibby...)


    Due tomato is third Party Firmware and still work in Progress or better saying "Improving" not all Business-Features are implemented yet. But of course feel free to request those Features!
     
  5. bobross

    bobross Reformed Router Member

    Should something like this work?

    iptables -A PREROUTING -t mangle --source 192.168.1.1 -j ROUTE --gw 192.168.1.100 -- tee

    ?

    I'm just trying to learn and understand from the other examples around the web.
     
  6. rs232

    rs232 Network Guru Member

  7. bobross

    bobross Reformed Router Member

    I don't think I'm capable of that. I am trying analysis with WFilter program. Seems very similar to Wireshark. I don't know much linux so unless it was spoon-fed I doubt I could do it.

    The port mirroring seems to be the issues. I just don't understand much about routers at all.
     
  8. bobross

    bobross Reformed Router Member

    Ok just ran iptables -L on the router. Having some trouble understanding all this but I can see some detonations going to my PC so that is a start I guess.

    Might be able to figure this out with some help.
     
  9. Monk E. Boy

    Monk E. Boy Network Guru Member

    Code:
    iptables -A PREROUTING -t mangle --source 192.168.1.1 -j ROUTE --gw 192.168.1.100 --tee
    You had a space between -- and tee, that definitely won't work.

    That can be shortened to:
    Code:
    iptables -A PREROUTING -t mangle -s 192.168.1.1 -j ROUTE --gw 192.168.1.100 --tee
    You'll likely want to also mirror packets being sent TO 192.168.1.1 as well, which would take an additional command:
    Code:
    iptables -A PREROUTING -t mangle -d 192.168.1.1 -j ROUTE --gw 192.168.1.100 --tee
    Between the two of them you're mirroring data sent from or to 192.168.1.1 to the gateway 192.168.1.100. Note this only means internet traffic - LAN traffic (traffic directly between devices on your network) normally can't be captured by iptables.

    I've actually never played with mirroring before in iptables, I've only done it in IOS and CatOS, but it sounds like this should work provided you're not using an old version of Tomato.
     
  10. bobross

    bobross Reformed Router Member

    Thank you Monk E. Boy, I'll give it a whirl
     
  11. bobross

    bobross Reformed Router Member

    Hmm still nothing does UPnP & NAT-PMP need to be enabled?
     
  12. Monk E. Boy

    Monk E. Boy Network Guru Member

    If you type them in a telnet or ssh session, does it spit back any errors?

    You may need to run the following command as well:
    Code:
    modprobe ipt_ROUTE
    Sorry, I don't have any extra Tomato routers I can putz with this stuff on right now. I should drag my RT-N12B1 in from home, its just lying around idle...
     
  13. bobross

    bobross Reformed Router Member

    I typed in

    Code:
    iptables -A PREROUTING -t mangle -s 192.168.1.1 -j ROUTE --gw 192.168.1.100 --tee
    Code:
    iptables -A PREROUTING -t mangle -d 192.168.1.1 -j ROUTE --gw 192.168.1.100 --tee
    Code:
    modprobe ipt_ROUTE
    Not errors, no nothing spit back to me.

    The only things that I can gather from iptables -L being routed to my machine are these:

    Chain FORWARD <policy DROP>
    Chain wanin <1 references>

    Everything else has destination "anywhere". Is that correct?
     
  14. bobross

    bobross Reformed Router Member

    So I can see other PCs but I don't think the packets are being forwarded. I can only see data from my computer

    To monitor other computers, the WFilter computer shall be deployed at a single location in the network where it can monitor all internet traffic.
    There are two different kinds of deployment solutions:
    1. Pass-by mode: set up a mirroring port in your switch/router, and connect WFilter computer to the mirroring port to do monitoring/filtering.
    Do I need to be on port 1 and everyone else off a switch from port 2? Or do I need to be on port 2 and everyone else on port 1?

    Damn this is confusing... :(

    Also "Both outbound and inbound traffic is required by WFilter. If you only mirror one direction packets, WFilter can not work properly."

    Do the firewall commands reflect that?
     
  15. bobross

    bobross Reformed Router Member

    I downloaded rpcapd. Can you walk me through installing/running it? I'm not sure exactly how to "run" stuff on a router
     
  16. rs232

    rs232 Network Guru Member

    where are you stuck?

    1) enable ssh if not already done (administration/admin access)
    2) connect to your [ routerIP: port] using e.g. putty
    3) download the rpcapd into e.g. /tmp/ e.g. wget http://[rpcapd url]
    4) run the command as per my post above

    trust me more difficult to explain than doing it.

    p.s. the above procedure will not survive a reboot as /tmp is actually saved into ram. if you need a permanent installation of rpcapd you need the router to have access to some sort of storage, e.g. jffs(not suggested!)/cifs/usb

    HTH
     
  17. Monk E. Boy

    Monk E. Boy Network Guru Member

    iptables -L does not list all the iptables on the system.

    You have to perform iptables -L -t nat to see the NAT tables (or is that chains?)
    You have to perform iptables -L -t mangle to see the mangle tables

    I think there's another table but the name escapes me right now...

    Your rule mirrors traffic originating from or being sent to 192.168.1.1. If 192.168.1.1 is your router, keep in mind this rule will only capture traffic from client PCs that's being explicitly sent to the router, not THROUGH the router (e.g. data being sent/from a server on the internet from/to a client on the LAN/WLAN will not be mirrored, as neither the source nor destination is 192.168.1.1).

    Perhaps if you explain what you want to accomplish with port mirroring we can whip something up. Do you want to mirror all traffic from LAN/WLAN systems?
     
  18. bobross

    bobross Reformed Router Member

    I have a simple network with a hand full of computers. I need to monitor some file activity. Just a router and a couple of switches. I'm trying to do this with WFilter enterprise edition and according to the instruction it should be a matter of simple port mirroring.

    I'm using the trial but only have a couple of days left for evaluation. I really want to know if I can get this working before then, kind of important for a purchase decisions. :)
     
  19. bobross

    bobross Reformed Router Member

    So the awesome people over on the WFilter forums have setup a tutorial on getting their software working with Tomato. I'm having what seems to be one last problem.

    From the discussion:

    ME: I get this "Can not monitor other computers." Also, I'm only able to monitor FILES on my local machine, not other PC on the network?

    Support: Can you post me a screenshot of the result of "iptables -t mangle -L"?

    (posted output)

    Support: The ROUTE rule is not added. When successfully added, you will be able to see "ROUTE" rule in your iptables list.

    ME: Yeah hmmm. I don't see that on the table even after "modprobe ipt_ROUTE" is set via telnet, firewall/INT.
    Strange. Looks like Tomato just isn't taking that command even though no error comes back via telnet.



    Any ideas why ROUTE rule is not working?
     
  20. bobross

    bobross Reformed Router Member

    Just thought I would ask again. Any ideas why ROUTE rule is not working? :(
     

Share This Page