Security Onion does not get traffic from pfSense SPAN port

Hello everyone,

I’m making my first networking project. It is a network that simulates an enterprise network on an ESXi host. The topology is as follows:

Everything is set up and working correctly. The pfSense works as a gateway for the three subnets and one of the ports facing the Security Onion server is a SPAN that redirects traffic from the WAN, LAN and DMZ. What I want to do now is to see the traffic of the subnets in the form of logs in Security Onion, but for now I can only see the traffic generated by the tcpreplay. In the configuration I have, what traffic should I see? Is it possible?

I am not clear on the goal, you want to see the traffic between host on a given subnet?

I want Security Onion to get all traffic and show alerts for any possible dangerous activity occurring in the DMZ or LAN. It doesn’t matter where the traffic is coming from or going to.

You would need a SPAN port for each physical interface.

1 Like