I have two output mirror interfaces eth10 and eth11 and I only want that dns traffic port 53 pass and tcp protocol is dropped. But it is not working. Do you know if firewall works in mirror interfaces?
vyos@vyos# show firewall name mirror-dest
default-action drop
rule 1 {
action accept
destination {
port 53
}
protocol udp
}
rule 2 {
action reject
protocol tcp
}
[edit]
vyos@vyos# show firewall name mirror-orig
default-action drop
rule 1 {
action reject
protocol tcp
}
rule 2 {
action accept
protocol udp
source {
port 53
}
}
[edit]
vyos@vyos# show firewall interface ethernet eth11
Configuration path: firewall [interface] is not valid
Show failed
[edit]
vyos@vyos# show interface ethernet eth11
address 10.51.241.21/28
duplex auto
firewall {
in {
name mirror-orig
}
local {
name mirror-orig
}
out {
name mirror-orig
}
}
i am doing mirroring of eth12 in eth10, and mirroring of eth10 in eth11:
vyos@vyos# show interfaces ethernet eth10
address 10.51.241.5/28
duplex auto
firewall {
in {
name mirror-dest
}
local {
name mirror-dest
}
out {
name mirror-dest
}
}
hw-id 52:54:00:21:ca:32
mirror eth11
smp_affinity auto
speed auto
[edit]
vyos@vyos# show interfaces ethernet eth11
address 10.51.241.21/28
duplex auto
firewall {
in {
name mirror-orig
}
local {
name mirror-orig
}
out {
name mirror-orig
}
}
hw-id 52:54:00:dd:3c:33
smp_affinity auto
speed auto
[edit]
I am trying to achieve to pass only dns udp port 53 traffic through eth10 and eth11.
Under the hood you are starting two captures using tshark, this will take all inbound traffic on one interface and send out on the other. This traffic will not pass through the iptables chains on the output interface.
Perhaps you could use some thshark capture filter to achieve what you want.
Is this for debugging or is it more permanent monitoring of DNS traffic? I would probably use port mirroring on a switch interface and have a network monitoring probe for the capture and analysis of the DNS traffic in a permanent monitoring solution.
For debugging I just start a capture with capture filters. For deeper analysis for a packet trace I use Wireshark to open the trace. Permanently running two packettraces on your router will impact on your performance.
I assume there are some packet capture stuff and not a creation of a bridge between the interfaces which are the mechanism. In your router with this configuration you could just look if there are some bridge interfaces created. And using ps to find if there are some capturing processes started.
I have not used this feature, so I’m just guessing…
This is not for debugging, it is for implementing a functionality. We need to pass to a system only dns traffic and not http traffic. It is for the implementation of a use case in our scenario.
It seems there are no tshark/wireshark or bridges created.
vyos@vyos:~$ sudo ps aux | grep -i wire
vyos 5368 0.0 0.1 6080 576 pts/1 S+ 13:59 0:00 grep -i wire
vyos@vyos:~$ sudo ps aux | grep -i tsh
vyos 5371 0.0 0.1 6080 576 pts/1 S+ 13:59 0:00 grep -i tsh
vyos@vyos:~$ sudo ps aux | grep -i sha
vyos 5374 0.0 0.1 6080 572 pts/1 S+ 13:59 0:00 grep -i sha
vyos@vyos:~$ sudo brctl show
bridge name bridge id STP enabled interfaces