Port Mirroring on RB450G router

theblop · April 17, 2013, 6:07pm

I have a simple router/NAT setup on a 450G (routerOS v5.7):

ether1 (renamed to wan) connected to a cable modem
ether2-5 in a bridge on the LAN
NAT/masquerade between wan and LAN and some filtering rules

I want to mirror wan to one of the LAN ports (ether2) to run an IDS (e.g. snort)

so I ran removed ether2 from the bridge and ran
/interface ethernet switch set numbers=0 mirror-source=wan mirror-target=ether2-local :

NAME TYPE MIRROR-SOURCE MIRROR-TARGET SWITCH-ALL-PORTS

0 switch1 Atheros-8316 wan ether2-local yes

But I don't see any traffic on ether2.

Here is my interface setup:

/interface ethernet switch port print
Flags: I - invalid

NAME SWITCH VLAN-MODE VLAN-HEADER

0 ether2-local switch1 fallback leave-as-is
1 ether3-local switch1 fallback leave-as-is
2 ether4-local switch1 fallback leave-as-is
3 ether5-local switch1 fallback leave-as-is
4 wan switch1 fallback leave-as-is
5 switch1_cpu switch1 fallback leave-as-is

/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic

INTERFACE BRIDGE PRIORITY PATH-COST HORIZON

0 ether3-local bridge 0x80 10 none
1 I ether4-local bridge 0x80 10 none
2 ether5-local bridge 0x80 10 none

I also have filter and NAT rules, but do they still apply to the mirrored port? In any case I don't see anything being blocked in the filter stats monitor.

Any idea what I could be doing wrong?

Thanks!

mrphreak · April 18, 2013, 6:03am

You might find that the port mirror is a function of the switch chip so you might need to add wan as a master-port for ether2

theblop · April 18, 2013, 1:15pm

It doesn’t make any difference, still no traffic on ether2:

 /interface ethernet print
Flags: X - disabled, R - running, S - slave 
 #    NAME                             MTU MAC-ADDRESS       ARP        MASTER-PORT                         SWITCH                        
 0 RS ether2-local                    1500 00:0C:42:3E:57:D1 enabled    wan                                 switch1                       
 1 R  ether3-local                    1500 00:0C:42:3E:57:D2 enabled    none                                switch1                       
 2    ether4-local                    1500 00:0C:42:3E:57:D3 enabled    none                                switch1                       
 3 R  ether5-local                    1500 00:0C:42:3E:57:D4 enabled    none                                switch1                       
 4 R  wan                             1500 00:21:91:DC:BE:CC enabled    none                                switch1

 /interface ethernet switch print
Flags: I - invalid 
 #   NAME                          TYPE         MIRROR-SOURCE                        MIRROR-TARGET                        SWITCH-ALL-PORTS
 0   switch1                       Atheros-8316 wan                                  ether2-local                         yes

I tried a switch rule as well, makes no difference:

/interface ethernet switch rule print
Flags: X - disabled, I - invalid 
 0   switch=switch1 ports=wan copy-to-cpu=no redirect-to-cpu=no mirror=yes

Am I missing something??