Bridge/Tap traffic being diverted
Ok. I'm going to try my best to explain my topology.
Currently everything works and I will explain that and then I will explain what Im trying to do which breaks everything.
I will explain it from the internet going into the LAN
First is the router which connects to the internet.
It IP is 192.168.1.1 (IP have been changed to protect the innocent)
The router connects to a machine with 3 KVM VMs and 3 interfaces.
Its plugged into host interface eth0 which is bridged (br0) to tap0 which is connected to the first VM (my firewall).
The firewall has an internal DHCP server and creates an internal LAN of 192.168.5.0/24
Its external IP is 192.168.1.2 and its internal IP is 192.168.5.1
Traffic comes into the firewall and leaves on a second interface connected to a VDE software switch.
The VDE switch then connects to a bridged snort box.
The snort box has 2 interfaces that are bridged (br4) so I can use snort inline.
Traffic leaves the snort VM and then is sent out to tap1 which is bridged (br1) to host interface eth1.
eth1 connects to a Realtik Routerboard switch with 4 ports. Its uses port 1
Now, my desktop is connected to the Realtik switch (port 2) and gets IP address 192.168.5.10 and can connect and surf the web and the snort IDS sees the traffic.
Now the host machine with the VMs has a third interface (eth2) that is bridged (br2).
eth2 is connected to the Realtik switch on port 3.
The br2 gets IP address 192.168.5.11.
The host uses br2 to connect so its traffic passes through the IDS and firewall and it can also surf the web and the snort IDS sees the traffic.
The 3rd virtual machine is an HIDS device that gets the HIDS info from the various machines and uses tap2 attached to br2 and has IP 192.168.5.12.
The HIDS VM connects ok and can surf the web and recieves the info from the various machines in the lan (excluding the snort IDS as it doesnt have an IP). The snort IDS sees this VMs traffic as well.
Ive used brctl for setting up all the bridges and tunctl for the taps and have not used distro scripts.
I did use the scripts at first but ditched them in favor of setting things manually to try and solve my next problem.
All 4 bridges have STP turned on.
Ok so all this works and performing packet capturing I can verify that all the traffic on the bridges are as expected and are sent through the IDS to the firewall and of to the internet.
Now the problem comes in when I try to create a 3rd management interface, lets call it snort3, on the IDS system thats uses a tap3 to get internet from br2 like the host and the HIDS VM.
This is when things go wrong.
While internet is NOT disrupted on any of the machines, a packet capture on tap3 shows that it sees the entire LANs traffic. Why is this?
Why would the tap3 see the traffic from my desktop even if the VM interface snort3 is down?
Something is definately diverting traffic improperly. Either on br1 or br4. I assume br1 is doing it but I cant be sure.
I dont understand how the traffic is able to "jump" to the tap3 interface when its only been added to br2.
I apologize my setup is somewhat complicated for a home network so Ive tried to explain it the best I can.
Ive spend hours/days trying to figure out whats going on but Im missing something.
I want to prevent tap3 from seeing traffic that is not destined for it but I dont know where the leak is or why its happening.
I can post bridge and KVM configurations and explain anything else in more detail if need be.