On 24/02/12 01:40 AM, Simon Iremonger wrote:
On 2012-02-24 08:07, Jack Bates wrote:
We run "ntop" on a computer connected to our router, for traffic
analysis:
http://jdbates.blogspot.com/2012/02/this-is-followup-to-this-post-on-how-to.html
We make OpenWrt forward all traffic sent and received on our WAN
interface to the "ntop" computer with the following lines in
/etc/firewall.user:
iptables -A PREROUTING -t mangle -i eth0.1 -j TEE --gateway
192.168.1.7 iptables -A POSTROUTING -t mangle -o eth0.1 -j TEE
--gateway 192.168.1.7
This works well, except that we also NAT traffic on our WAN
interface. We want to monitor traffic *before* NAT
Can you not... just ... ask it to capture/mirror traffic on the LAN
interface thereby catching it on the IP addresses used on that
side? (i.e. change the "eth0.1" appropriately).
Hopefully it has the sense to the mirrored traffic itself on the
lan etc.
Unless other traffic is going 'through' the router (e.g. between
multiple internal lans), it should only otherwise get data
going to/from the WAN.
Hope that helps, Interested in your thoughts!
Thank you Simon, other traffic is flowing "through" this router, but
maybe we can exclude it with the right netfilter rules?
There are five other routers in our LAN and this, the "main" router,
forwards traffic between devices in the local subnet and these other
routers. We can exclude this traffic by matching source addresses in the
local subnet, and subnets connected to these other routers
We use policy routing to forward web traffic to a transparent caching
proxy. This proxy is connected to our LAN interface. We want to monitor
traffic sent and received on our WAN interface, so we want to monitor
traffic between our WAN interface and the proxy, but exclude traffic
between the proxy and our LAN interface
By monitoring traffic leaving our WAN interface, we monitor outgoing
traffic from the proxy to our WAN interface. If we also monitor traffic
leaving our LAN interface (excluding source addresses in our subnets)
then we correctly monitor traffic returning to the proxy from our WAN
interface
We correctly exclude traffic from our LAN interface to the proxy because
it matches the source addresses we exclude. However because it is a
*transparent* proxy, the source addresses of traffic from the proxy to
our LAN interface are *not* the address of the proxy, but of the
internet host that the client *thinks* it is communicating with
So, maybe it is possible to exclude other traffic flowing "through" this
router with the right netfilter rules, *but*:
* It is more complicated to *exclude* source addresses in our
subnets, and keep these rules up to date, than to *include* all traffic
received on our WAN interface
* I don't know how to exclude traffic from the proxy to our LAN
interface, because the source address is the same as traffic we want to
monitor, from our WAN interface to the proxy
Any other thoughts, how to mirror traffic sent and received on our WAN
interface, *after* NAT?
p.s. I just don't use NAT on my wan-router ;-) Native dual stack
IPv4 and IPv6 block =). None of that nonsense... =).
_______________________________________________
openwrt-users mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-users
