pfSense SPAN port setup for Security Onion sensor

Hi guys,

Forgive me if this has been asked already but I can’t find what I’m looking for. I’m also a network novice. I’ve read the Bridging section of the pfSense docs but I can’t fully comprehend it.

I have an SG-2100 set up as a gateway router for my network. It gets its WAN address from a separate firewall. The WAN uses a private 10.x.x.x IP, as do its LANs. Connected to its four ports are:

LAN 1 - WAN on internal subnet SG-1100
LAN on internal subnet SG-1100 is connected to a UniFi 24-port layer 2/3 switch
The router uses the default VLANs (Not my idea)
LAN 2 - WAN on DMZ SG-1100
LAN 3 - Empty
LAN 4 - Connected to the SPAN port NIC on my Security Onion Sensor

We have multiple VPNs connected to the internal subnet router (not the gateway router). I need to monitor traffic on the internal subnet and all VPNs. I believe I need to create a Bridge on internal subnet to do that. What I’m confused about is which interface to use as the member and which to use as the SPAN. Do I use the WAN as a member and LAN as the SPAN or vice versa? Once I have the bridge set up as an interface, how do I tell it to use LAN port 4?

Thanks in advance for your guidance.

I never use pfsense as a port tap, I use a switch. The UniFi Switch Flex Mini is inexpensive does a good job of this for this and it’s been one of my favorite use cases.

Thanks, Tom. I will do that. I think I understand how. If my gateway LAN is plugged into a port on my switch (I have a USW-24-Pro) I can mirror that port using another port on the switch, right? I plug my Security Onion sensor’s SPAN nic into, let’s say, port 24 and then mirror port 1, or whichever is connected to the gateway, to port 24. Is that right?

Yes, that will work.

Great. Thanks for your help!