I need to mirror all traffic from ether1 to ether2. But traffic that goes to/from IP-address 192.168.1.1 should not be mirrored.
ether1 and ether2 are in one switch-group. Server with an IP-address 192.168.1.1 (billing server) connected to ether2.
When I’m trying to authenticate on the billing server with the client agent - it shows me security alert. That’s because of billing server that receive 2 UDP authenticating packets at a time. First packet comes by switching, second by mirroring. Billing system are counting traffic, but also authorizes clients.
I know that this can be implemented by rules, but my every config fails.
Example
switch1 (source port - ether1, target port - ether2, switch all ports disabled).
Rules:
I recommend that you use two interfaces on the billing server - one dedicated to sniffing traffic, and another for routine IP communications. (disable IP on the sniffing interface)
Don’t do weird things unless you absolutely have to.
It’s bad practice. It’s a complicated work-around that adds unnecessary load to the Mikrotik’s CPU.
It’s a trivial thing to keep the management traffic physically seperated from the sniffing traffic: Use two interfaces. This is a natural solution to the problem, and the Mikrotik won’t have to do anything unusual at all for things to work as they should.
It won’t even confuse the sniffer interface to receive copies of the management traffic because all it’s doing is logging what it sees. (remember to disable IP on that interface on the host)
Everything is normal now, and there’s no need to make the Mikrotik inspect each and every frame because it might be sending duplicates to some port that’s trying to do double-duty.