Hello Dominko, ok, given this specific scenario (the switch that mirrors traffic is in the middle between clients and their default gateway), a packet from the client to the server should be routed as follows:
client -> default gateway: SRC IP: client DST IP: server SRC MAC: client DST MAC: default gateway default gateway -> server: SRC IP: client DST IP: server SRC MAC: default gateway DST MAC: server The vice-versa (ie. a packet from the server to the client) works similarly. The solution i see is the following: packets to any host into the local network(s) which have the source MAC address of the default gateway are to be filtered out. This should be done as quickly as possible. pmacct has a very fast 1st filtering tier, which is enabled via the 'pcap_filter' configuration directive. A typical tcpdump filtering expression can easily fit our issue. Try adding to your configuration the following line and let me know whether it works: pcap_filter: vlan and (((not ether src <router MAC address> and src net <local network(s) class(es)>) or (not src net <local network(s) class(es)>)) Stuff into <> is intended to be substituted by actual data. Both servers and clients classes are intended to be local networks. This might translate in a complication of the above expression: pcap_filter: vlan and (((not ether src <router MAC address> and (src net <clients class> or src net <servers class> or src net ...)) or (not src net <clients class> or not src net <servers class> or not src net ...)) Cheers, Paolo
