I have a simple router/NAT setup on a 450G (routerOS v5.7):

- ether1 (renamed to wan) connected to a cable modem
- ether2-5 in a bridge on the LAN
- NAT/masquerade between wan and LAN and some filtering rules

I want to mirror wan to one of the LAN ports (ether2) to run an IDS (e.g. snort)

so I ran removed ether2 from the bridge and ran
/interface ethernet switch set numbers=0 mirror-source=wan mirror-target=ether2-local :

# NAME TYPE MIRROR-SOURCE MIRROR-TARGET SWITCH-ALL-PORTS
0 switch1 Atheros-8316 wan ether2-local yes

But I don't see any traffic on ether2.

Here is my interface setup:

/interface ethernet switch port print
Flags: I - invalid
# NAME SWITCH VLAN-MODE VLAN-HEADER
0 ether2-local switch1 fallback leave-as-is
1 ether3-local switch1 fallback leave-as-is
2 ether4-local switch1 fallback leave-as-is
3 ether5-local switch1 fallback leave-as-is
4 wan switch1 fallback leave-as-is
5 switch1_cpu switch1 fallback leave-as-is

/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 ether3-local bridge 0x80 10 none
1 I ether4-local bridge 0x80 10 none
2 ether5-local bridge 0x80 10 none

I also have filter and NAT rules, but do they still apply to the mirrored port? In any case I don't see anything being blocked in the filter stats monitor.

Any idea what I could be doing wrong?

Thanks!

You might find that the port mirror is a function of the switch chip so you might need to add wan as a master-port for ether2

You might find that the port mirror is a function of the switch chip so you might need to add wan as a master-port for ether2

It doesn't make any difference, still no traffic on ether2:
I tried a switch rule as well, makes no difference:
Am I missing something??