I currently have a home lab set up in the meterkast (the circuit breaker panel cupboard – every Dutch house has one. Electricity meter, water meter, breaker panel, gas meter, it’s all in there.). The home lab consists of an Intel i5 NUC that runs Proxmox, an awesome virtualization platform similar to VMware’s ESX but open source and free for private use. Currently, I have the following components running on it:
- A MISP server for sharing threat information.
- Pihole, for blocking ads network wide.
- PiVPN, you guessed it, a VPN server.
Some of them are run as a container, some as a VM. Note that you see some Raspberry Pi based projects. I like them because they come pretty self-contained and are ideal to run in containers without too much hassle. As long as you don’t just pipe the install script to
bash, and actually understand what they’re doing, these projects are an awesome and quick way to get stuff up and running. Using dockers for projects like this would probably work just as well, but they are even less transparent and this would also mean having to run a VM that runs Docker that runs Docker containers. Virtualizationception.
I also used to have the Unifi wifi controller running on a container but since my last reinstall I did not rebuild it yet.
Now for the …
I want to experiment a bit with network monitoring using Security Onion. To that end I’d like to have a port mirror running into a Security Onion machine. That way I should be able to check traffic from the Unifi acces point and its clients.
So my next steps are as follows:
- Find a way to get a port mirror into my NUC.
Find a switch that would support this. I’ve bought a NetGear GS108E managed switch on a Black Friday deal.
- Configure the switch.
- Get a port mirror into the NUC using a USB-C/Ethernet converter.
- Get Security Onion up and running.
- Install it on a container.
- Get the port mirror configured.
The Netgear switch
When I first got the Netgear switch, I plugged it into my existing network. It got a DHCP adress; I made it static, and I accessed the web interface to configure a port mirror. That seems to have worked – unplug it, walk downstairs, hook it up in the meterkast, replacing an existing 5 port switch.
After that, all connected devices function, but I cannot reach it over the IP that I bound to it. According to the Netgear mgmt tool, it defaulted to its hardcoded address at 192.168.0.239 – a different subnet. For now that should be fine, let’s find out later if the span port works.
The port that was configured as port mirror destination has been attached to the NUC running Proxmox through a USB-C converter. I didn’t think to check beforehand what the interfaces currently existing are called, so I had to take a guess when creating a new virtual bridge. It’s called
vmbr1 and it’s attached to
enx00e04c3602fe. I think device names like that are usually attached to USB type network adapters.
I have two NICs,
ens18 has received an IP address, that should be the management interface I suppose.
After setup, it seems that the span port is not functioning. For now, I’ll have to check if the USB/Ethernet adapter works correctly on the Proxmox server first. A
tcpdump of interface
enx00e04c3602fe tells me that indeed, traffic is mirrored to it. Huzzah! That part is working. Now, apparently, I did not succesfully configure that on the Proxmox → Onion VM side.
tcpdump on the
ens19 interface shows way less traffic – only ARP stuff. Some googling around finds me someone with the exact same problem. Per some of the posts on the Proxmox forums I’ve added the following line to the
vmbr1 interface config in
so the total becomes:
auto vmbr1 iface vmbr1 inet manual bridge-ports enx00e04c3602fe bridge-stp off bridge-fd 0 bridge_ageing 0
Some up-and-downing of the interface made that work.
Now we have Security Onion up and running!! Next step; make the webinterface available externally.
- Apparently there is a MISP integration; let’s try that.
- Find out how NIDS alerts (Elastalerts) can be closed.
- Make the webinterface externally reachable.