Traffic mirroring setup on OpenWRT device

This simple tutorial describes how to configure traffic mirroring on your OpenWRT capable router (using iptables) and send it to Snort IDS. Having an IDS running in your local network sometimes can help find infected machines connected to it, LAN attacks which can lead to sessions hijacking, Man-in-the-middle attacks and other nasty things.

First of all you need an OpenWRT compatible router (see Official list) with a freshly installed distribution. In this tutorial I’m using a TP-Link TL-WR841ND with 14.07 Barrier Breaker (see screenshot below).

Traffic mirroring. Barrier Breaker 14.07

Use SSH to connect to your network device and install iptables-mod-tee package:

# Update the list of available packages
opkg update
# Check package availability
opkg list | grep "mod-tee"
# Install iptables-mod-tee package
opkg install iptables-mod-tee

# Check if package installed successfully
opkg list-installed | grep "mod-tee"

After the installation, you should have kmod-ipt-tee package installed automatically as dependency (see screenshot below):

Traffic mirroring. iptables-mod-tee installed successfully

Troubleshooting: A lot of tutorials do not mention the error you can get by trying to add an iptables rule, after the installation. Let’s try to run following command:

# Add rule to mangle table in POSTROUTING chain
iptables -t mangle -A POSTROUTING ! -s -j TEE --gateway

Most of the time it will result in an error (see screenshot below).

Most common error

Because iptables-mod-tee is a kernel module it should be loaded before you are trying to get use of it. So, let’s try to load our newly installed module: xt_TEE.

modprobe xt_TEE

If it doesn’t work just reboot the device (run: reboot). Now we are ready to add iptables rules so the traffic mirroring will work like a charm.

As you probably know, there are 5 tables in iptables:

  1. NAT table – used for network address translation (e.g. port forwarding);
  2. ROW table – used for configuring packets so that they are exempt from connection tracking;
  3. FILTER table – is the default table and is where all actions, associated with the firewall, typically take place;
  4. SECURITY table – is used for Mandatory Access Control (SELinux gets use of it);
  5. MANGLE table – used for packets alteration actions (e.g. cloning);

The table we need is MANGLE. It permits to modify packets going through our router, or in our case, just to clone them. I used following two rules to implement traffic mirroring:

iptables -t mangle -A PREROUTING -d -j TEE --gateway
iptables -t mangle -A POSTROUTING ! -s -j TEE --gateway

Make sure you substitute and with correct network and host address, to which all traffic is mirrored. In my case, I have a separate Raspberry PI connected with IP address, running Snort daemon on it.

That’s all folks, now you are able to get all your router’s traffic. Aloha 😉


 Add your comment
  1. Just what i was looking for. Thx a lot dude.

  2. Very minor typo in your ssh command example … “mode” vs “mod”:

    # Check package availability
    opkg list | grep “mode-tee”
    # Install iptables-mod-tee package
    opkg install iptables-mode-tee

    When that should be:

    # Check package availability
    opkg list | grep “mod-tee”
    # Install iptables-mod-tee package
    opkg install iptables-mod-tee
    Otherwise, great info. Thanks !!

  3. Is is just me or is iptables-mod-tee not available anymore? i can’t find it :S

  4. I’m just wondering, the ! before the -s filter inverts the filter, right?

    Aren’t you saying match every source except The filter seems to still redirect every packet for me, so it’s probably right.. But how does the rule work? Why do you need to invert the filter

  5. Hello, Sveatoslavm and thank you for sharing.

    I have a few questions:

    1. Why using PREROUTING for the network under observation as destination
    2. Why using POSTROUTING when the network is NOT the source
    3. Apart from the choice of POST vs PRE ROUTING, why using the “not”the network as source (should it not be the network as source to catch all traffic, in and out?)?

    Thanks for any explanation and I hope I have made myself clear enough.

    Rhanks again for the share.

  6. Hello Sveat,

    Great and clear guide, but I still have a few questions. In my situation I have two OpenWRT routers, except one only functions as a dump access point. My routers are running om (Main router) and (Dump AP). The DHCP leases are from until I am also planning to run a Raspberry Pi with snort on

    Does this means my rules should look like this:
    iptables -t mangle -A PREROUTING -d -j TEE –gateway
    iptables -t mangle -A POSTROUTING ! -s -j TEE –gateway

    With this I want to achieve to monitor all the traffic from WAN and LAN.


    • Hey Sander,

      Glad that you found this tutorial helpful! Where your DHCP is running? I assume it is on the AP and that all devices are connected only via that AP. I can think of several ways to achieve traffic mirroring in your situation. Let’s say the only 2 devices connected physically to the Main Router ( are your AP ( and Raspberry Pi (, both with static IP reservation. Also, I assume that the DHCP server is running on the AP (giving IP addresses in range).
      In this case, your AP and Raspberry PI should see each other on local network (try to ping one from another) and you have to configure traffic mirroring only on your AP.
      Something like:

      iptables -t mangle -A PREROUTING -d -j TEE --gateway
      iptables -t mangle -A POSTROUTING ! -s -j TEE --gateway

      In case you are planning to connect other devices directly to your Main Router and mirror traffic as well as APs traffic, then I would say you also need to add some iptables rules on too.
      Something like this I think should work for you (didn’t test it tho):
      iptables -A PREROUTING -t mangle -i #interface_to_mirror_traffic_from# -j TEE --gateway
      iptables -A POSTROUTING -t mangle -o #interface_to_mirror_traffic_from# -j TEE --gateway

      Hopefully it helps 😉


  7. Lahiru Kanchana

    I’am Lahiru an IT undergraduate from Sri Lanka.Thanks a lot for this blog post..
    Currently i’am working on my final year research about detecting signature and signatureless malware detection for a smart home network. There we are going to build a hardware device which will act as an extra access point to connect IoT devices in a home network.
    So to do that we need to mirror and take a network dump of the traffic that are passing through our access point and IoT devices.
    Problem is we are not that familiar with hardware components like Rasberry-pi. Can you please share some of your knowledge about how to build this kind of a device using Rasberry-pi in order to mirror the IoT traffic. Thanks a lot for your time!

Leave a Comment

Your email address will not be published.