How to pass all traffic through to a VM

[Patrick M. Hausen]

So if this "Onion" thingy is some sort of IDS, you would IMHO need to make sure, traffic passes through it. Enforce that by topology.

E.g.

Internet Router --- one interface --- Onion --- second interface --- switch --> all your other devices.

Then with the bridging setup I suggested and the Onion bridging, too, you will see all the traffic. If the decice is connected via only one "leg" there is no reason for it to receive everything in the first place unless the switch copies every frame and forwards it to the monitor port.

But this is not FreeNAS specific but how IP and Ethernet work ...

HTH now,
Patrick

P.S. in the above setup it will still not catch traffic from one of your internal devices to another one. Only frames that go out or come in via your router.

 

[amlamarra]

I described the situation in my first post, it's for my Security Onion VM. Which, if you're not familiar with it, is an Ubuntu-based distro for network security monitoring (e.g. an intrusion detection system). The one interface I'm using for monitoring is connected to a managed switch that's configured to mirror all traffic that goes through it to go to this one port. I've done this before on a machine that was dedicated for Security Onion. I'm just trying to save power by using it as a VM and not on dedicated hardware.

In one of my previous posts, I stated that I got the passthru to work, I just need to know how to get the GUI to apply the passthru device to this VM.

 

[Patrick M. Hausen]

Try ifconfig em2 promisc; ifconfig bridge2 promisc, then ... with the bridge/virtio config. If that works, you can do it in the UI.

 

[amlamarra]

Try ifconfig em2 promisc; ifconfig bridge2 promisc, then ... with the bridge/virtio config. If that works, you can do it in the UI.

Tried it, same results.

 

[Patrick M. Hausen]

Inside VM, promisc active, too?

 

[amlamarra]

Inside VM, promisc active, too?

Yup. And again, the VM sees the traffic (w/promisc) when using PCI passthru.

 

[Patrick M. Hausen]

Then define your VM, set it not to boot automatically. Then use a post-startup script to start bhyve the way you like.

 

[amlamarra]

I'll probably have to do that. Though I'll miss having the GUI to tell me which VMs are running. However, there's multiple ways to execute a script after boot. Which do you think would be best? /etc/rc.conf?

 

[KevDog]

Honestly -- I'm so used to the systemd way now ---- another topic.

BSD way -- yeah I think you could try rc.conf or you could make a root crontab with time of @boot https://www.cyberciti.biz/faq/linux-execute-cron-job-after-system-reboot/. You could possibly use /usr/local/etc/rc.d as well

OR in the web GUI (not sure if youre on 11.2/11.3) but under Tasks->Init/Shutdown Scripts -- you could make a reference to it there as well.

 

[Patrick M. Hausen]

I'll probably have to do that. Though I'll miss having the GUI to tell me which VMs are running. However, there's multiple ways to execute a script after boot. Which do you think would be best? /etc/rc.conf?

No! Don't mess with the base system. There's a section in the Tasks menu precisely for that! Put the script somewhere on your ZFS pool, e.g. I have /mnt/hdd/scripts, and activate it as a post-start task.

That's why I suggested creating your VM in the UI, set autostart to disabled and start it via script. I am not 100% sure but the UI probably will show it as running, if you start it with the name matching ...

And if all of that finally works, why not file a feature request to introduce an "auxiliary parameters" field for VMs? ;)

Patrick

 

[amlamarra]

Thank you, I'll try doing that.

I did a search and it seems this feature was requested a while ago: https://jira.ixsystems.com/browse/NAS-100045

I added my own comment, though it doesn't seem like there's a lot of people that need this. :(