Project

General

Profile

Feature #7029

GRE interfaces not available as SPAN port

Added by Adam C over 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Interfaces
Target version:
-
Start date:
12/21/2016
Due date:
% Done:

0%

Estimated time:

Description

GRE interfaces are removed from all bridge port lists. It is valid to select a GRE port as a SPAN port destination (see Cisco ERSPAN). The issue is in the following file:

https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/interfaces_bridge_edit.php#L63

History

#1 Updated by Jim Pingle over 3 years ago

It may be valid on Cisco but does it actually function on FreeBSD? That would be the real question. GRE doesn't handle L2 which usually means it wouldn't be viable as a bridge member.

#2 Updated by Jim Thompson over 3 years ago

  • Tracker changed from Bug to Feature

#3 Updated by Idar Lund about 2 years ago

Any news on this one? In our virtualized world, it would be awesome to be able to forward copy of traffic over L3. Especially since a lot of network equipment also are being virtualized. Suricata also have the ability to read these packets. https://github.com/OISF/suricata/blob/master/src/decode-erspan.c and https://github.com/OISF/suricata/blob/master/src/decode-gre.c

With IDS sensors or other packet captures that are virtualized and behind several layers of virtualized network equipment, it's almost impossible to forward traffic to the sensor without using L3.

I know this is a question from just one person, but it shows that more people are wanting/needing this feature; https://forum.netgate.com/topic/113151/does-pfsense-support-cisco-erspan.

So please; look into this feature request

#4 Updated by Jim Pingle about 2 years ago

  • Status changed from New to Closed

As far as I can tell, FreeBSD doesn't support it. If you want ERSPAN support for FreeBSD GRE interfaces, the issue needs to be taken upstream.

#5 Updated by Idar Lund about 2 years ago

Jim Pingle wrote:

As far as I can tell, FreeBSD doesn't support it. If you want ERSPAN support for FreeBSD GRE interfaces, the issue needs to be taken upstream.

If I understand correctly, FreeBSD nor pfsense need to support ERSPAN. What we want pfsense to do is to SPAN traffic over a GRE tunnel. That way the receiving end will need to decode the traffic. Most of the receiving applications such as Suricata does support decoding of both ERSPAN (which is Cisco proprietary) and GRE encapsulated traffic.

#6 Updated by Jim Pingle about 2 years ago

It's not that easy either, FreeBSD will not allow you to add a GRE interface as a span port:

: ifconfig bridge0 span gre0
ifconfig: BRDGADDS gre0: Invalid argument

Most likely this is because GRE interfaces do not carry layer 2 information, which is why it needs a feature like ERSPAN to encapsulate it across GRE.

It isn't viable until it is implemented upstream. Replicate and raise the feature request directly with FreeBSD.

You can add a GIF interface as a span port as it can carry L2 information to a remote destination, but it may or may not be in a format you want/need. That isn't related to GRE, however.

Also available in: Atom PDF