On 4/9/07, Soner Tari <[EMAIL PROTECTED]> wrote:
My physical interfaces are already configured and have their own IP addresses. I need to assign different IPs to all 3 cards (LAN, WAN1, WAN2). And here is what I run on the command line to create a bridge interface (to use as a pseudo interface on snort command line for monitoring): ifconfig bridge0 create brconfig bridge0 add vr0 add rl0 add nfe0 up Am I not supposed to see the traffic on all of the physical interfaces (vr0, fxp0, nfe0) using tcpdump on bridge0? (I've tried with pf disabled too.)
It is my understanding that only one or none may have an IP. Give vr0 or any single iface an ip address. For each other nic, only activate it using 'up': ifconfig vr0 192.168.0.1 netmask 255.255.255.0 up # this is the primary NIC ifconfig rl0 up # this could be what you are missing ifconfig nfe0 up ifconfig bridge0 create brconfig bridge0 add vr0 add rl0 add nfe0 up also maybe "ifconfig bridge0 up" -- 'up' goes in brconfig or ifconfig or both? Not sure. At this point, if you tcpdump on vr0, you should see the traffic on rl0 and nfe0 as well. Any endpoint can connect to any NIC and see the same 192.168.0.1 address, and reach any other PC connected to any of the other two NIC's. I do this with my router, because the switch ran out of ports :)
Perhaps this is not possible at all with bridge intefaces? If so, how do I achieve such a monitoring interface? Any comments please?
Does each port on a switch have an IP, for instance? Are you trying to make a transparent bridge? You have three NIC's here, and you seem to have to need of an IP address.. ? You should be able to assign no IP at all to vr0, and accomplish a transparent bridge without pf involved, where as you can split a cable in half, crimp each end, put them into each NIC, and you can see everything inbetween. pf can start to block at this point. I know nothing at all about the Snorter... Does it need to bind to an IP? It shouldn't.
