Friday, April 16, 2004

Interface Bonding on FreeBSD

The question of how to combine traffic seen by two physical network interfaces into a single virtual interface is popular on the various IDS lists I watch. Below is the script I use to create a ngeth0 interface using the FreeBSD ng_eth netgraph node:

bourque:/$ cat /usr/local/etc/rc.d/001.bond.sh
#!/bin/sh -x
# sf2 and sf3 are real interfaces which receive tap outputs; ngeth0 is created by ngctl

# ng_ether must be loaded so netgraph can "see" the real interfaces sf2 and sf3
kldload ng_ether

# bring up the real interfaces
ifconfig sf2 promisc -arp up
ifconfig sf3 promisc -arp up

# create ngeth0 and bind sf2 and sf3 to it
ngctl mkpeer . eiface hook ether
ngctl mkpeer ngeth0: one2many lower one
ngctl connect sf2: ngeth0:lower lower many0
ngctl connect sf3: ngeth0:lower lower many1

# bring up ngeth0 for sniffing duties
ifconfig ngeth0 -arp up

Linux has a channel bonding page at Sourceforge.

I devote an entire chapter of my book on how to get access to traffic on the wire, with instructions for SPAN ports, inline bridging devices, and the like.

Remember that creating virtual interfaces is one way to deal with the two TX outputs from traditional taps, like the Net Optics 10/100 Ethernet Tap. Their new 10/100 Ethernet Port Aggregator Tap offers a single TX output with RAM to buffer the original two TX lines.