On my first attempt to install Security Onion in my Security-Appliance-in-a-Box, I ran into a weird networking issue. The install script failed with the error “The IP being routed by Linux is not the IP address assigned to the management interface (ens1)“. Looking around online, I discovered that I’m not the first person to experience this, but there wasn’t an obvious solution. Here’s the steps I followed, and the root cause.
Security Onion does work out-of-the-box with dual NICs of the same type. For example, if I select ens1 and my management interface from the below, no issues.
If I select eth1 from the below options, where ens and eth adapters are mixed, even this will work without an issue.
However, if I attempt to select the below management interface, it will fail.
Here’s the error…
It appears from looking at the network configuration that both my NICs have an IP address (not surprising). The management interface (ens1) was correctly configured by the wizard, and my network tap interface has a DHCP address.
However, what is surprising is that I’m getting two default routes set. One on my management interface (correctly), and one incorrectly applied on my private network for span port traffic.
The following code is detecting this first line as the default route, when in fact, that record is errant. Naturally, this record doesn’t reflect the gateway of my ens1 interface, and thus fails the check.
# /home/gateway-admin/SecurityOnion/setup/so-functions - line 2446
MAINIP=$(ip route get 1 | awk '{print $7;exit}')
By deleting this errant routing record, you are now able to re-run the so-setup script and it will complete successfully.
ip route delete default via 192.168.122.1 dev eth0