I currently have a core pfSense “router on a stick”, where all VLANs are tagged on 1 physical interface connected to my core switch. The VLANs show as sub-interfaces in pfsense, each having their own name.
In the future I want to replace my router hardware with something that as 4x SFP+. I would like to use 2 SFP+ interfaces in LACP bonding, still as a “router on a stick”, both connected to 2 SFP+ ports on my core switch.
So far I can see how I can do this router-on-a-stick upgrade.
My question is how I would go about on pfSense making a mirror of the virtual LCAP port and send this out via the other 2 SFP+ interfaces to a separate machine with 2 SFP+ ports and running a Security Onion sensor.
Has someone done this before and did it work well?
Would a N305 be capable of doing this?
BTW, other approaches that I have dismissed are:
using a physical TAP device: TAPs for 10G, replicating 2 ports would be pricey
my switching fabric is based on Unifi switches, including one US XG 16 for 10Gbps, all my Unifi switches can mirror at most 1 port, not 2 ports.
@LTS_Tom I have seen your Security Onion video. Nicely done! I have run Security onion for a while and while the basic setup and usage i well documented, information on more advanced setups is very hard to find. I guess this is also intention on the side of the SO folks, as they do consulting for more advanced setups for companies.
Maybe this would be a topic for a future video, how to mirror ports (also more advanced configurations, as described in the intial post) in pfSense and send that traffic to a SO sensor machine.
Yes, I have seen the bridging videos and how to runs Suricata right on pfSense. When using SO, this is however, not what one wants, not even to run both Suricata and Zeek on pfSense. You’d rather want to run the SO sensor separately so that you benefit from the central Suricata rule tuning in the SOC.