Setup Port Mirroring and VLANs at Home- Managed Switch

Published: May 2, 2020

A switch capable of port mirroring and VLAN tagging is an essential purchase for every home lab. For your home IDS to work, you’ll need to mirror network traffic traversing the switch to a dedicated port. This switch port should be connected to a NIC dedicated as the sniffing interface for your IDS. In future tutorials, I’ll show you how to setup Security Onion as an IDS and analyze this traffic.

Based on the first article in the series (Home Router- DMZ/Transparent Mode), we’ve already configured our ISP’s router for DMZplus mode. All traffic inbound for our public IP is being sent to the WAN port of a Sophos FW.

In this article, I’ll review the setup of my Netgear ProSafe Plus 8 port managed switch. I’ll also setup 2 VLANs on the switch, one for internal traffic, the other for DMZ traffic. I’ll also review setting up the DMZ network on my Sophos firewall.

Make sure any port of the Netgear switch is connected to the internal LAN port of the firewall.
In my example, I’ve connect port 1 of my Netgear switch to the LAN port of my Sophos FW.

Connect the main NIC of your machine to port 2 of the Netgear switch.

Connect port 8 (Can be configured for any port) to a secondary NIC on your computer. This switch port will mirror all the traffic that traverses the switch and send it to the connected NIC for sniffing and analysis.

Login to your managed switch. In my case, the 8 port Netgear ProSAFE Plus Switch

NETGEAR' 
GS108Ev3 - 8-Port Gigabit ProSAFE Plus Switch
Log in 
Password 
Login

When we login we’ll go to System -> Monitoring

NETGEAR' 
GS108Ev3 - 8-Port Gigabit ProSAFE Plus Switch 
port 
System 
VLAN 
QoS 
ontonng 
Help 
MultiCast 
Management Maintenance 
• Port Statistics 
• Mirroring 
• Cable Tester 
Port Statistics 
2 
Bytes Recei•.' 
2088326799 
4063974189

Then click on “Mirroring”

NETGEAR' 
GS108Ev3 - 8-Port Gigabit Pr 
System 
ana ement 
• Port Statistics 
• Mirroring 
• Cable Tester 
VLAN 
Maintenance

Make sure ports 1-7 are checked, mirroring is “Enabled” and Destination Port is set to “8”

Port Mirroring Configuration 
Source Port 
Ports 1 
Mirroring Enable 
Destination PO

Click Apply to save the settings

flddy 
laoueO

Since we’re in the switch, I recommend setting up an additional VLAN. My Sophos FW has an additional NIC labeled “DMZ,” which allows us to segment traffic from my internal network. You need a separate NIC to mirror this setup, but setting up a DMZ is a recommended best practice.

Click on VLAN -> 802.1Q -> Advanced -> VLAN Configuration

NETGEAR' 
GS108Ev3 - 8-Port Gigabit ProSAFE Plus Switch 
System 
Port Ba 
• Basic 
• Advanced 
VLAN 
QoS 
Help 
Advanced 802. IQ 
Advanced 802.1 
• VLAN Configuration

Enable Advanced 802.1Q VLAN

Advanced 802.10 VLAN Status 
Advanced 802. IQ VLAN 
O Disable 
@ Enable

Add a new VLAN ID

Delete 
Add

Set ports 6 & 7 to VLAN ID 2, we’ll use these for our home DMZ.

VLAN Identifier Setting 
WAN ID 
2 
VLAN I 
Port Members 
12345 
67

VLAN Membership- set ports 1-6 & 8 as untagged under VLAN ID 1

VLAN Membership 
Ports 1 
bons 
erat10

VLAN ID 2 has ports 6 & 7 selected as untagged

VLAN Membership 
Ports 1 
bons 
erat10

Config

PVID Conflguration 
Port 
pVlD

Once that’s setup, I plug in an ethernet cable to port 7, then into the DMZ port of my firewall.

Login to my firewall, under Interfaces & Routing -> Interfaces

SOPHOS 
UTM 9 
search 
Interfaces 
Dashboard 
Interfaces 
Addition 
Management 
New Interface... 
Definitions & Users 
Interfaces & Routing 
Interfaces 
Quality of Service (QoS) 
Edit

You should have an Internal network already setup, so we’ll run through this example by creating a new interface, which I called honeynet. This will be my DMZ network.

New Interface... 
Edit Interface 
Name 
Type 
Hardware 
Dynamic IPv4 
IPv4 address 
IPv4 Netmask 
IPv4 Default GW 
Comment 
9] Advanced 
Honeynet 
Ethernet 
eth2 Intel Corporation 121 
1721601 
/24 (255255.255 0) 
Save 
X Cancel

Make sure the honeynet can resolve DNS at the firewall

Interfaces & Routing 
Network Services 
ONS 
DHCP 
Honeynet (Network) 
Internal (Network) 
*vpN Pool (SSL)

Also make sure the network is getting an IP with DHCP

Network Services 
ONS 
DHCP 
Network Protection 
Edit 
X Delete 
Clone 
sort by: Gateway asc 
Honeynet [Range 17216 0 1 through 172_16 0 254) 
DNS 1: 172.1601 DNS 2: 0000 DefaultGateway: 1721601 
WINS: 0000

Setup a masquerade rule so outbound traffic is sourced from our public ip

og 
•"alny 6wpe_1anbsew maN 
LYN 
Buwe_lanbsew 
IYN
Edit 
Clone 
Honeynet (Network) PATT_WAN

And were done! Now we’re able to mirror our internal and DMZ network traffic to port 8. We’ll connect port 8 to the sniffing interface of Security Onion for analysis, which we’ll review in the next article.

Now you can connect another computer/raspberry pi to port 6 to get an IP address in the Honeynet(DMZ). We can create firewall rules to control hosts on both the LAN and DMZ networks, ensuring we properly segment networks.

From the main Sophos Dashboard

Interface Name 
TYPe 
Ethernet 
Ethernet 
Ethernet 
State 
up 
up 
up 
Link 
up 
up 
up 
In 
out 
o 
all 
eth O 
eth 1 
eth 2 
eth 3 
All Interfaces 
Internal 
ATT WAN 
Honeynet 
Unused 
cz¯--z cz¯--z 
2.9 kbit 
4.6 kbit 
CZ_Z 
2.2 kbit 
3.5 kbit