At FlashedRouter, we love tinkering with hardware. The idea of setting up a network tap to monitor WAN traffic has always intrigued us. So when we got our hands on the Fenvi AX3000—a fast, solid router with a dual-core CPU—we dove into its network stack to see what it could do. This quick guide walks you through how we turned that router into a passive network tap for monitoring internet traffic across an entire network.
Step 1: Identify Ethernet Ports
The first step is to identify the physical Ethernet ports so we can assign one to mirror the WAN traffic. Using a simple ifconfig command, we can see that this router exposes multiple identifiable network interfaces. Each one typically maps to a physical port on the device, which lets us configure one as a dedicated mirror port.
root@router:~# ifconfig
br-lan Link encap:Ethernet HWaddr E4:XX:XX:XX:XX:00
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fdd2:5469:5219::1/60 Scope:Global
inet6 addr: fe80::e667:1eff:fe7a:b034/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19998463 errors:0 dropped:0 overruns:0 frame:0
TX packets:36756936 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11246398435 (10.4 GiB) TX bytes:41685293412 (38.8 GiB)
eth0 Link encap:Ethernet HWaddr E4:XX:XX:XX:XX:00
inet6 addr: fe80::e667:1eff:fe7a:b034/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1504 Metric:1
RX packets:36670910 errors:0 dropped:0 overruns:0 frame:0
TX packets:89246483 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:41845479753 (38.9 GiB) TX bytes:65901231604 (61.3 GiB)
Interrupt:75
lan1 Link encap:Ethernet HWaddr E4:XX:XX:XX:XX:00
inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
inet6 addr: fe80::e667:1eff:fe7a:b034/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:10652 errors:0 dropped:0 overruns:0 frame:0
TX packets:62961872 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1857894 (1.7 MiB) TX bytes:53438775001 (49.7 GiB)
lan2 Link encap:Ethernet HWaddr E4:XX:XX:XX:XX:00
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lan3 Link encap:Ethernet HWaddr E4:XX:XX:XX:XX:00
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:3615 errors:0 dropped:0 overruns:0 frame:0
TX packets:3615 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:302409 (295.3 KiB) TX bytes:302409 (295.3 KiB)
phy0-ap0 Link encap:Ethernet HWaddr E4:XX:XX:XX:XX:00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1714179 errors:0 dropped:0 overruns:0 frame:0
TX packets:2193027 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:339036299 (323.3 MiB) TX bytes:1072017985 (1022.3 MiB)
phy1-ap0 Link encap:Ethernet HWaddr E4:XX:XX:XX:XX:00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28142478 errors:0 dropped:0 overruns:0 frame:0
TX packets:38369021 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12060409397 (11.2 GiB) TX bytes:41344843405 (38.5 GiB)
wan Link encap:Ethernet HWaddr E4:XX:XX:XX:XX:00
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::e667:1eff:fe7a:b033/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:36660258 errors:0 dropped:0 overruns:0 frame:0
TX packets:26324854 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:41696938219 (38.8 GiB) TX bytes:11750768997 (10.9 GiB)
Step 2: Create a new interface with static IP
From the web ui we created a new interface and assigned a static ip 192.168.3.1 to it in order to mirror all the traffic from the wan port to it.
now we head to cli and add these two modules to openwrt
apk update; apk add kmod-ipt-tee iptablesthis is it, now we have iptables and we can tee the wan into port 1. This means whatever traffic passes through wan is also mirrored to port 1 so we can have a sniffer / network tap absorbing the traffic and feed it into an IDS solution like Suricata coupled with EveBox to have a UI in order to navigate all the events and alerts. More on this later in this article.
now we open vim and create iptables rules into a file /etc/firewall.user to mirror the traffic:
# Mirror inbound WAN traffic
iptables -t mangle -A PREROUTING -i wan -j TEE --gateway 192.168.3.2
# Mirror outbound WAN traffic
iptables -t mangle -A POSTROUTING -o wan -j TEE --gateway 192.168.3.2
notice how the ip 192.168.3.2 is the ip address of the machine we will plug into port 1 in order to sniff the traffic. This static IP should be assigned manually.
in order to make these iptables presestent we modifed /etc/rc.local and added this line:
root@router:~# cat /etc/rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
sh /etc/firewall.user &
exit 0
now we connect the tap or sniffing machine into port 1 and assign 192.168.3.2 as static IP to it. From here it's straightfoward installing Suricata and EveBox, using Ubuntu these are the commands we used:
sudo apt update
sudo apt install suricata curlcurl -fsSL https://evebox.org/files/GPG-KEY-evebox -o /etc/apt/keyrings/evebox.asc
echo "deb [signed-by=/etc/apt/keyrings/evebox.asc] https://evebox.org/files/debian unstable main" | sudo tee /etc/apt/sources.list.d/evebox.list
sudo apt-get update
sudo apt-get install evebox
you will need to modify /etc/suricata/suricata.yaml to select the correct interface in our case it was eno3, but in your case it can be anything. You should also probably check with tcpdump if the interface is getting all the traffic from the mirrored port. For simplicy we will start with sqlite database. Please read the online doc how to set it up correctly from suricata getting started.
after that we update the rules with:
sudo suricata-update
then you're ready to go. If you browse http://monitor-box:5636/ you will see all the alerts. Select for severity:1 and grab some popcorn to watch the horror movie of all the threats incoming into and outgoing form your network
Curious if you'd want one of these?
Would you be interested in a plug-and-play device that monitors your entire network for threats? We're thinking about turning this into a ready-to-go solution.
Shoot us a message at hi@flashedrouter.com—we’d love to hear your thoughts.
