Creating a SPAN port to monitor multiple VLANs on pfSense


#1

I am struggling to set up a SOHO IDS system using a variety of methods. One desire is to create a SPAN port with an isolated host continuously running tshark in promiscuous mode with a ring buffer so I don’t run out of drive space, giving me a full packet look-back for a few days. The challenge seems to be that I have several VLANs coming from a switched AP/WLAN (not routing) into a trunk port going to a pfSense box sitting between my cable modem and the network.

First I tried to do the port mirroring on a spare port of the switched AP/WLAN (Netgear router running OpenWRT), but couldn’t figure out the iptables configuration (tried tweaking the MANGLE table, etc), then I moved the mirror port to an open interface on the pfSense box, bridging all of the VLANs into a single bridge that then SPAN’ed to the tshark host on the separate interface.

I was happily able to gather all of the VLAN data from various subnets on the tshark host, but it seemed I caused some troubles with pfSense routing across networks when I started logging into the different VLAN networks using the same laptop for some SSH work. I assume that it is because the MAC for the laptop stays the same, and I have static IP addresses assigned for this laptop on the various networks. I might have made this SPAN port ‘sticky’, and that may have been the problem.

My question for the experts on the forum (I am far from experienced in this arena): Is there a problem bridging multiple VLANs (each has its own IP address)? They all come into the pfSense box on a single physical interface via the trunk, and the only purpose of the bridge is to monitor internal network traffic.

Another question: the tshark host is a Raspberry Pi 3 with a USB storage that has both an ethernet and a wireless NIC. I would like to be able to set the ethernet NIC into promiscuous mode connected to the pfSense box and use the wireless NIC on one of the WLAN networks to SSH into the RPi, but the RPi seems to not hold both connections. Perhaps something about hotplugging priority? Anyone have any suggestions?

Okay if someone wants to connect directly with me if this thread is too esoteric.
Thanks

P