When you have the free version of Esxi you don’t have such features as vSphere and distributed switches. With the distributed switches you can create a span port. On just the Esxi hypervisor which is free, you have two options. One is to have a switch mirror a port, and then connect it to Esxi. Another way is to create a seperate vSwitch or Port group, and enable promiscuous mode on it.
I will be using option 2 except I will add a port group instead of a seperate vSwitch. Once I’ve made my port group I will assign it the promiscuous mode permissions. I also gave the port group a different VLAN number, to keep the broadcast domain separate. Reason being that port groups on the same vSwitch can by default VLAN talk with each other. Below is what it looks like. This means that anything connected to that port group can now see the traffic on it.
I have a pfsense firewall which is routing traffic out to my physical Lan interface. Lan is a vSwitch with no physical adapter. While Wan is connected to my physical NIC on the Server, which goes to the phsyical LAN. The purpose of this is to keep the VM traffic in its own LAN. The Picture below shows the Network I have. VM’s are part of the LAN on the pfsense, and the Esxi vSwitch has no uplink adapter. Uplink adapter in Esxi jargon, means a physical adapter connected to the vSwitch. The WAN interface just goes to my physical LAN. I have NAT set on the WAN so traffic out the WAN port has source of the Pfsense WAN interface. Going forward when I refer to LAN it’s the pfSense LAN interface.
Now lets say we want to monitor traffic and send it to an IDS or another server. In order to do this we have to pick our placement. In the network below it won’t work to monitor the WAN interface. It will just show NATed traffic, and won’t help in identifying a specific client to investigate. The better placement is before the VM LAN interface or on the LAN interface. If you place it before you will have to do routing, to send traffic to your Pfsense gateway. For this example i’m going to place IDS on the LAN ports side. In order to do this we can mirror the pfSense’s LAN interface.
Once you have your port group created, go into the settings of the pfSense VM. Add another network adapter and choose the Mirror port group.
Sign into the pfSense web portal -> click interfaces -> click add on the new interface (it will be likely called OPT1). Next click on that interface -> check the enable interface -> click apply
Go back to interfaces -> assignments -> click Bridges tab ->add LAN as a member -> click advanced -> choose span port (in this case OPT1). Click apply. Next in ESxi choose the IDS, and add a network adapter with Mirror as the port group.
On your IDS run wireshark or packet capture to check if span is working. Below I ran wireshark on the IDS on ens192 port which is connected to the mirror port group. If in Linux be sure to not set an ip on the IDS sniffing port, and set it to promiscuous mode.