 So I have this neck gate SG 5100 here and I know a bunch of people are going to ask so I'll mention that this is in a rack mount dot it that's their website rack mount kit and This particular one is because someone asked that to an SR dash t1 I don't know if they make this model anymore. We've had it But if you're interested in buying one of these I'll leave a link below to their Sider and affiliate link for it for Amazon. Anyways, we're gonna talk about transparent bridges and that's what we actually have set up right here now This is my control port as in my WAN which is plugged into the neck gate These two ports are the ones that we've got set up in the transparent bridge mode Opt one opt two is what you're gonna see them called in here And then we called the bridge the catwalk now. What is the transparent bridge? Well, essentially it acts like a switch port here You can actually tie more than two ports together and you can not recommend it Use PF sense as a switch and it can then monitor said switch and it does not have to provide any routing functionality in this mode, so you can actually set it up And that's why we're gonna have it set up today As a transparent bridge, which means there's no IPs that PF sense has assigned. We're simply observing transparently what's going on inside of here and we can apply firewall rules to it and we can even provide IDS or even packet sniffing going on here So we're gonna walk through the setup of it pretty straightforward and some of the things you can do with it Now, what's the use case for that is I like to say well, the use case is sometimes you have a reconnaissance mission, let's say and you are dealing with a Unusual situation where you need to observe the traffic But you don't want to be part of the traffic or being noticed being observed You just want to do some packet sniffing You want to do some IDS on it and maybe the equipment that the Client has that you're at on this engagement does not have the ability to do packet capture packet sniffing And you want to observe said device and see everywhere it goes but not alert the device and Letting it know that you're you know adding an extra layer of routing in there to it So of course you could route things through PF sense and just fully observe it That's the easy way and but sometimes there has been times when you want to Transparenly bridge because you want to see what something else is doing So you want to give it a say a public IP address on the internet But you don't want to have anything on the PF sense side Getting the public IP so you'd want to pass through but be able to observe So there are a couple of the use cases you might have for this Now let's dive into how it actually works and the setup of this. So the sub is pretty easy We're gonna go over here to interfaces assignments And you go over here bridges and you see it says bridged So I called it the test bridge here So we just grabbed two ports and we could have grabbed more if we wanted It'll see you had multiple devices you want to observe So if I were to grab opt one through four those would all act like switch ports And if they act like switch ports Well, then you can plug in you know one feed and three other devices and observe all the devices for example And we didn't change anything on the advanced side But this actually acts like a managed switch and I know someone's gonna say well Can I just use PF sense as a switch? Well, it's not really designed to do that And there are some performance concerns because you're kind of looping things around through it So it's not gonna even a basic general switch is gonna generally perform a little bit faster Than this this is more for observation network engineering less about building switches out of PF sense Which is actually switches are cheap So this is not the most practical use case if you wanted to but you can yes for those wondering build a switch And you do have all these protocol options. So, you know, you've got spanning tree in here Edgeport auto edgeport. I mean you can really go fine grain and really tune some of the settings in here So it's definitely pretty cool. If you wanted to go further beyond the scope of what we're going to talk about today Now once you've chose the two ports and like I said, we just made two members opt one opt two It's interface bridge zero next thing you want to do is go over here and go to assignments And I assigned it already called catwalk. So if it was in the list, I could have just added it But I signed it and called it the catwalk. Now, there's one more thing that you need to do Well, this is optional, but it makes it easier to do it this way We're going to go here to advanced and we're going to system tunables And there's a write up on PF sense about this as well. And we get to find it real quick We want to Follow this right here by default traffic is filtered on member interfaces not on a bridge interface itself This behavior may be changed by toggling toggling the values netlink pfi member And that's what we did over here. And that's what I wanted to let you know So zero but netlink pfi filter bridge packet filter on the bridge interface. Now. Why is that important? We go over here to firewall. We're going over here to the rules Now if you don't do this, you need to create the rules under the member interfaces the opt one or not two versus here This is where I prefer to create the rules because now I know I'm creating rules against the bridge itself And like I said, this is it's just an advanced setting So if you're creating bridges and the only time you need to do that is if you're creating bridges And you would set this therefore this bridge that we just named the catwalk Is an interface that's set up like any other interface right here And this is where you name it. It's Absolutely where you put all the rules now. You don't have to find other places to put it now Please know we can assign we can Be a member within this Setup so we could actually assign an ip address here if we want to do that's within the range For example, if you were doing it on the land And you can become a member and have ip participation in there if this is something you wanted But by default it doesn't need to have any And for what we're going to do here and show how sarah kata works with it You don't need an ip in this range So that's something To keep note of so what do we do now? All right, so you can see with no ip addresses here opt one opt two opt I don't know which one do I have an order in opt two is where the internet comes in not that it matters and opt One happens to be where my laptop is plugged in so once again My laptop is plugged in through here, but not it's not participating So to speak pf sense is not in the ip side of this but it does see and we're going to go over here to status And we'll go over to actually diagnostics and we'll look at the state tables and states And we have some states on here. We're going to look at specifically the catwalk states and the filter So you can see Everywhere that my system is going So one seven two sixty nine one seventeen That is the ip address of My laptop for my network interface. So it's one seven two sixteen sixty nine one seventeen and my wireless I put it on a separate network one nine two one six eight three dot eighteen I did this on purpose that way I can Access this remotely just we'll jump to the beginning real quick So you show the ip addresses because sometimes you look confused by all this The wan of the pf sense itself is on dot three network, but we're Doing the bridging across the one seven two network that way it's too distinctive network So I can see the different states that are in there and not get anything confused Yes, you could do it other ways. Um, i'm aware now One of the things we'll start out first is just talking about uh Sniffing packets a packet capture. So if we go over here and we go down to packet capture under diagnostics And we choose the catwalk interface We can i'm going to take the count to nothing here And uh address family cool. So we'll go ahead and start a packet capture And let's go just ping something This should go out over that interface because it should be the shortest path Hardwired versus wireless philogy wondering. Yes. I'm now because i'm connected to networks on my laptop I'm hoping it goes out that one we'll find out, but i'm feeling pretty confident. It will hit stop Hey, look we can see uh all the states that are down there Or actually you can go ahead and if we want to we can pull it in a wire shark, but you get the idea So Here is me pinging the one one and back and forth So now you can see with no ip's I just packet captured whatever date is on there And this is obviously really handy because then I can download capture Yes, we'll go ahead and open up a wire shark and now we can start diving into Wire sharking through anything that's going across this address here Now for those of you that may have noticed over here I actually have the tour browser open and yes, I pulled the cybertruck up because hey, why not? It seems to be a controversial topic We'll see how this pans out, but I am running this in the tour browser and That's one of the things I wanted to observe So we're going to go through and watch what tour browser does routing across that and with suricada So let's go ahead and uh, just get out of the way of this And actually that's what some of these suricada alerts are so how do we go a step further instead of suricada on here? So I went through just a standard Normal default install suricada updated the rules through my oink code in there to download the latest rule sets And uh, you can see that they're updated as of today saturday november 23rd So yes, we have the rules. We have the emerging threats and then we go over here to interfaces Now we're going to go ahead and edit this And what we chose was once again the catwalk interface because we have that where all the data is flowing That's the one we're going to observe. That's when we're managing the rules on for the bridge So we have suricada pointing at that what categories are we doing? Pretty much everything we just I just select it all I grabbed all the rules and said save I wanted to flag it It's only in IDS mode so intrusion detection mode not prevention as in it's no blocking turned on so we go over here settings now This is where there was a Bit of setup work that had to be done. So home net the default answer is default default And this is out of the box how suricada does this and what your default list is going to be Is ip's found on this router. So the land happens to be 192 168 690 the Wan because it's internal it's double-naded is 192 168 3 So it added those and say hey, these are the home net ones and we're going to observe only those therefore suricada would actually find nothing in terms of alerts you have to have And I call it catwatch a list made now there's two ways to do this You could make a list or you can add an ip in the range of the devices that you want to capture Because when you add a ip in the range you capture that will add to the home net automatically in suricada Therefore suricada will be able to observe the network traffic in there and apply its rules But instead because as you've seen we have nothing assigned to the catwalk. There is no IP range is in there you we actually do it this way And so i'm going to walk through we have a pass list And we have home net and how did I do that? Well, let's go ahead and edit this I just called it catwatch didn't give a description left this all at default And then we chose home net here What is home net? Well, that's an alias. So you actually first before you come to here We had to create an alias and how did I create the alias? So we'll walk it all the way back So I created a thing called home net and Because I know my laptop was going to be in the 172 range and I wanted to watch everything in a 172 range But I could have just filtered for specifically the 172 Dot 117 one that i'm using but I wanted all of them. So I did this Now by the way, I didn't type all these in if you're not aware you can do Typing in one ip and it'll create this so if you added a host and you typed in 192 dot 168 dot, you know 99.0 slash 24 when you hit save it'll generate all the other ones I don't want to do that again But you get idea these it's going to observe all the 172 addresses So once we have the alias created we're going to go back over here to sericata And we go over here to pass list We created this and then alias is if you're not familiar with how they work in pf sense, you can put them in You can look them up to find them Like check the box and save and it'll fill them in or I believe it this supports autocomplete Yeah, it autocompleted when I typed it in as well. So it'll fill in Kind of doing a back end look up for each one of the aliases you may have created So back over here to the interface Back over here to edit and Once again, we just set the home net here and that allows us to observe the alerts and things like that So what are the alerts? What do we have in here? Well, because I have tour running and one of the reasons I have tour running is so we can see this So we see each who et known torn relay blah blah blah and you can see a couple other things I was testing in here Um, just to create some noise to show that okay. Here's the things I observe I was actually going internally moving to the 172 69.4 address Now another reason you may want to use this transparent bridge is when you want to Just tap into and observe some network traffic because you think something type of attacks going on, but you don't Have access to it lateral movement wise and what I mean by that is if you have A network and it's not going through the routing of your pf sense. So it saracada doesn't see it saracada is not going to see Movement between subnets on the same range because there's no routing taken place But when you have a transparent bridge any traffic that passes through the bridge can be observed So it's another use case for this is if you want to observe local Land traffic that's not routed, but you do pass it through a bridge like we do here. You get the observations An insight into what's going on with these So that's another use case you can have for this the other option for doing is to be port mirroring That's a different video at another day Transparent bridging is what we're talking about today So this kind of gets you an idea of how to set it up and how to make it work. So what else can we do about this? Well, let's look at the firewall rules again And we're going to go ahead and look at the catwalk and right here we can see The states and the rules and this rule is a wide open rule So we have everything on here We actually have logging turned on as well because this is another advantage you have is you go I want to log all the traffic like I said, it's you're in observation mode But we also have protocol right now any any so let's go over here to the terminal and we're going to ping something 72.16.69.4 No, that's not payable. Let me find something that's payable 69.1 Oh, I got the wrong it's 16 69. There we go All right, now that I got my typos figured out 172 69 4 16 69.4 that is payable So we can see we have a seven packets transmitted no packet loss and that's because we have protocol any What if we only allowed? TCP and udp traffic, so we're going to head and hit save here And apply so know what we've done is now we've applied a rule And we've changed what a traffic has allowed to pass through this bridge So now we should be over here to ping and it should fail And because we disabled ICMP it don't work no more simple as that uh, so now we have Drop those packets now you can see how you can start creating specific rules and start changing things And you're doing it as essentially transparent firewall now So you're you know bridging the ports into similar ways to switch But now your transparent firewall is able to create rules and apply them to here And we could go further logging in log failed packets, etc, etc But like I said, this is a great way to get in dive into network engineering and observing things that are going across We can actually do the inverse here. We can allow ICMP And only but not allow for example tcp udp So there's another thing that you could do if you wanted to mess with it But there's obviously different you can dive into further like you only want to allow gerry or not allow gerry Other types of filtering that you can do here or create a whole set of rules And you create them all under like I said the catwalk option And then of course all the advanced things play out as well So if you wanted to dive further into playing with it or piping things in there or maybe doing some type of Cuing options, they would be all stuff you could do right here So we're going to end it save to just put it back to normal And apply the changes So it can get you an overview It's not that hard to do transparent bridging. It does have some certainly interesting use cases It's wonderful when you want to do network engineering work Where you want to be transparent and observe the traffic that's going across or apply rules to it Or you know set up a series of devices. There's four reports here. So four potential now Like I said before when you've come to the transfer speeds Normal switch port, you know normal gigabit switch port no problems gigabit when you're transferring between here That's where sometimes you can run in some problems And there's a lot of discussion in the forums about that people want to use their pf sensors as a managed switch Like I said, you can do that. But you may run into some bottleneck limitations This is not the fastest way because it's not dedicated designed for switching hardware This is you know pf sensors more designed for routing But when it comes to observational stuff Um in packet capturing and things like that This is a quick and easy way to do it and make this happen So I'll leave links to the documentation over on pf sense And make sure it's just plenty more to read on that But now they have some documentation themselves and how to set this up But now you get an idea of how to set this up With sarah kata and the transport bridging by the way, I will mention for those wondering. Yes, it does work with snort I just chose sarah kata because it seems like more people ask about it The only thing different with snort is I don't think you need to add the IP address ranges and snort because it doesn't have that home that I think by default snort will observe the traffic on the catwalk Bridge without anything. Um, I'd have to do some further testing on it But I did test with snort and it did work. Then I switched it back over to sarah kata It seems to be the more requested one. So I chose to do it that all right Thanks And thank you for making it to the end of the video If you like this video, please give it a thumbs up If you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like youtube to notify you when new videos come out If you'd like to hire us head over to laurance systems.com fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel out in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time