RB2011UAS-2HnD-in Port Mirror

RouterOS Beginner Basics
1

Hi, I got a RB2011UAS-2HnD-in recently and been trying to set up my network.. My knowledge in Networking is rather limited, although I did get the network up and running by reading around..

My config is like this:

Ether1 is connected to a cable modem
Ether 2-5 has Ether1 as master port
Ether 7-10 has Ether6 as master port (as it comes out of the box)

Ether1, Wlan1, Ether6 are bridged.

With this config all the devices connected to the ethernet ports (2 to 6) and all the wireless clients can accesss each other and the internet.

What I would like to do is, Mirror all the traffic coming in and out of the network, to a port which can then be used to run snort.. So I’ve added Ether1 as Mirror source and Ether5 as mirror target, but it doesnt seem to work as snort can’t see any traffic on ether5..

I read a few other posts on mirroring and someone had suggested using a rule to mirror the port which again I tried with no success..

Some Output from the terminal:

[admin@RB2011] > interface ethernet print
Flags: X - disabled, R - running, S - slave 
 #    NAME                                    MTU MAC-ADDRESS       ARP        MASTER-PORT                                 SWITCH                                
 0 X  sfp1-gateway                           1500 D4:CA:6D:8E:45:A9 enabled    none                                        Gigabit                               
 1 R  ether1-Gateway                         1500 D4:CA:6D:8E:45:AA enabled    none                                        Gigabit                               
 2 RS ether2-DNS-DHCP                        1500 D4:CA:6D:8E:45:AB enabled    ether1-Gateway                              Gigabit                               
 3 RS ether3-FreeNAS                         1500 D4:CA:6D:8E:45:AC enabled    ether1-Gateway                              Gigabit                               
 4 RS ether4-PC                              1500 D4:CA:6D:8E:45:AD enabled    ether1-Gateway                              Gigabit                               
 5 RS ether5-MirrorTarget                    1500 D4:CA:6D:8E:45:AE enabled    ether1-Gateway                              Gigabit                               
 6    ether6-Printer                         1500 D4:CA:6D:8E:45:AF enabled    none                                        FastEthernet                          
 7  S ether7-slave-local                     1500 D4:CA:6D:8E:45:B0 enabled    ether6-Printer                              FastEthernet                          
 8  S ether8-slave-local                     1500 D4:CA:6D:8E:45:B1 enabled    ether6-Printer                              FastEthernet                          
 9  S ether9-slave-local                     1500 D4:CA:6D:8E:45:B2 enabled    ether6-Printer                              FastEthernet                          
10  S ether10-slave-local                    1500 D4:CA:6D:8E:45:B3 enabled    ether6-Printer                              FastEthernet




[admin@RB2011] > interface ethernet switch print     
Flags: I - invalid 
 #   NAME                                 TYPE         MIRROR-SOURCE                                MIRROR-TARGET                                SWITCH-ALL-PORTS
 0   Gigabit                              Atheros-8327 ether1-Gateway                               ether5-MirrorTarget                         
 1   FastEthernet                         Atheros-8227 none                                         none

Can anyone guide me in the right direction as to how to get this to work, or perhaps how to test if mirroring actually work and if it’s my IDS that’s not doing the job.. Thank you very much for any help you can give me :slight_smile:..

2

Did you ensure that Ether 5 is no longer slaved to Ether 1?

Is your cable modem is acting as the firewall?

3

Hi CelticComms, Thank you for your suggestion..

Somehow it seems to be working now, I don’t have a clue how.. I tried messing around with the settings but put everything back as it was when I made this post in case someone suggested something and I didn’t want my config to be different.. I’ve run the same print commands again and it shows the same output on the terminal as I have showed before, So no idea how it’s working; but it is now, so I’m happy.. :smiley:.. I guess this thread can be closed.. :slight_smile: