Enabling Port mirroring Asus RT-AC66U

[jjulez]

Anyone know how this is done, need port mirroring so i can run a filtering program.

 

[mattiL]

Anyone know how this is done, need port mirroring so i can run a filtering program.

Maybe this works:
http://darrelsbrain.blogspot.se/2013/01/how-to-enable-mirroring-on-asus-rt-n66u.html

 

[dualm]

Anyone know how this is done, need port mirroring so i can run a filtering program.

I have used those lines ( <ip> is the receiver of the mirrored traffic ):
# iptables -A PREROUTING -t mangle -j ROUTE --gw <ip> --tee
# iptables -A POSTROUTING -t mangle -j ROUTE --gw <ip> --tee

And to turn off (or a reboot):
# iptables -F -t mangle

Tested on: 378.50 / AC66U

 

[jjulez]

Thanks to all, will upgrade to 378.50

 

[Mark71]

Am i missing something? I have the latest merlin firmware and this doesnt work for me. Thanks

 

[ComputerMentor]

Am i missing something? I have the latest merlin firmware and this doesnt work for me. Thanks

Ive created a guide and a YouTube video demonstrating it. Report back if it still dont work

https://computermentor.net/guides/guides/asus-port-mirror.php

 

[Mark71]

thanks, I have tried this again and it doesn't work. I do have the RT-AC68U and not the RT-AC66U. Could this be the problem?

Cheers
Mark

 

[ComputerMentor]

Doubt it. How do you test if it work? Maybe it is your testing method. Have DMZ turned on? Turn it off

 

[Hank Barta]

Hi folks,
I have a question about this. Does this mirror all traffic through the router to the destination? (Hmmm... I hope that traffic to the destination doesn't get resent to the destination or it seems like it would result in an avalanche.)

My intended use is to monitor traffic to an IoT device (Orvibo S20.) The other strategy I can think of is to use a spare WiFi AP and insert a Wireshark tap between the spare AP and my primary router (RT-AC68W.) The spare AP would have NAT and DHCP disabled so they would forward to the primary router and I could easily identify the traffic to/from the S20. (I'm sure there is a proper term for this mode of operation but since I'm not certain I know the terminology I'll just describe it. ) This alternate setup would also have a lot less traffic to filter out.

I have the S20 blocked from Internet access in the primary router as I only use local commands to operate it. I'm pretty sure that it would connect to a cloud server from time to time in order to support control from remote devices. I wonder what else it might do that would expose my network to a security breach.

Thanks!

 

[Nullity]

Hi folks,
I have a question about this. Does this mirror all traffic through the router to the destination? (Hmmm... I hope that traffic to the destination doesn't get resent to the destination or it seems like it would result in an avalanche.)

My intended use is to monitor traffic to an IoT device (Orvibo S20.) The other strategy I can think of is to use a spare WiFi AP and insert a Wireshark tap between the spare AP and my primary router (RT-AC68W.) The spare AP would have NAT and DHCP disabled so they would forward to the primary router and I could easily identify the traffic to/from the S20. (I'm sure there is a proper term for this mode of operation but since I'm not certain I know the terminology I'll just describe it. ) This alternate setup would also have a lot less traffic to filter out.

I have the S20 blocked from Internet access in the primary router as I only use local commands to operate it. I'm pretty sure that it would connect to a cloud server from time to time in order to support control from remote devices. I wonder what else it might do that would expose my network to a security breach.

Thanks!

For monitoring a single host, why not use tcpdump? tcpdump is very easy to install with entware.

You could either keep a log on the AsusWRT device or you could export a pcap file and view it on your PC with Wireshark. You can even stream the tcpdump pcap file in real-time to Wireshark but you'd need to find a tutorial because I've forgotten the details.

 

[Hank Barta]

For monitoring a single host, why not use tcpdump? tcpdump is very easy to install with entware.

Thanks for the tip. I suppose the only "why not?" is that I was not aware of that (but I'm keen to learn) and I'd have to upgrade to Merlin firmware which seems like not a bad thing.

thanks,
hank

 

[ColinTaylor]

I have a question about this. Does this mirror all traffic through the router to the destination? (Hmmm... I hope that traffic to the destination doesn't get resent to the destination or it seems like it would result in an avalanche.)

As posted it will mirror all traffic. But you can specify -s or -d parameters to limit it to a particular source or destination.

 

[miazza]

Hello guys, first of all let me say hello to everybody for my first post in this forum.

I resume this very old discussion because I would like to know if this feature about port mirroring is still available in latest Merlin releases.

I'm ready to buy an RT-AC88U but I'm not sure this function is supported on latest FW.

Thanks to all.

 

[L&LD]

Hello guys, first of all let me say hello to everybody for my first post in this forum.

I resume this very old discussion because I would like to know if this feature about port mirroring is still available in latest Merlin releases.

I'm ready to buy an RT-AC88U but I'm not sure this function is supported on latest FW.

Thanks to all.

Welcome to the forums!

From my quick read, it seems like it should.

https://computermentor.net/guides/guides/asus-port-mirror.php

 

[ColinTaylor]

The command has changed slightly because of the newer versions of iptables, but the principle is still the same.

https://www.snbforums.com/threads/h...es-ac86u-384-8-alpha.49580/page-2#post-442729

So you'd use something like this:

modprobe xt_TEE
iptables -t mangle -A PREROUTING  -s 192.168.1.99 -j TEE --gateway 192.168.1.238
iptables -t mangle -A POSTROUTING -d 192.168.1.99 -j TEE --gateway 192.168.1.238

 

[martinr]

Hello guys, first of all let me say hello to everybody for my first post in this forum.

I resume this very old discussion because I would like to know if this feature about port mirroring is still available in latest Merlin releases.

I'm ready to buy an RT-AC88U but I'm not sure this function is supported on latest FW.

Thanks to all.

To “mirror” L&LD, welcome! And thanks: I’d never heard of port mirroring until today. Assuming the router supports it, how do you plan to use it and why do you want to do this?

 

[miazza]

Thank you for your quick reply.
Will this work on all ASUS devices supported by Merlin FW ?

I want to Trash my ISP (FTTH 1Gbit) Vodafone Station Revolution and substitute it with a good reliable ASUS Router and I am really puzzled in which one to chose.

I need port mirroring in order to wireshark the traffic from ONT to router ....

 

[ColinTaylor]

Will this work on all ASUS devices supported by Merlin FW ?

"TEE" was added by Merlin back in November.

I need port mirroring in order to wireshark the traffic from ONT to router ....

Bear in mind that this isn't "real" port mirroring. It's only duplicating packets that are routed through the router. If you want to capture packets destined for the router itself you would be better off installing Entware and the tcpdump package.

 

[Grisu]

I want to Trash my ISP (FTTH 1Gbit) Vodafone Station Revolution and substitute it with a good reliable ASUS Router and I am really puzzled in which one to chose.

maybe an RT-AC86U would be the better and cheaper choice with newer and faster hardware.

 

[miazza]

Yes Grisu, thank you for the suggestion. May be this is a good compromise between AC87U or AC88U.
I'm not using it for gaming and it will be mostly dedicated to home use:
- TV streaming
- NAS
- WiFi on Laptop, Mobile and Tablet
- Alexa