Security Onion – IP Routed Error on Install

On my first attempt to install Security Onion in my Security-Appliance-in-a-Box, I ran into a weird networking issue. The install script failed with the error “The IP being routed by Linux is not the IP address assigned to the management interface (ens1)“. Looking around online, I discovered that I’m not the first person to experience this, but there wasn’t an obvious solution. Here’s the steps I followed, and the root cause.

Security Onion does work out-of-the-box with dual NICs of the same type. For example, if I select ens1 and my management interface from the below, no issues.

Working with dual NICs of same type

If I select eth1 from the below options, where ens and eth adapters are mixed, even this will work without an issue.

Works with dual NICs of different types

However, if I attempt to select the below management interface, it will fail.

Doesn’t work with reversed order

Here’s the error…

It appears from looking at the network configuration that both my NICs have an IP address (not surprising). The management interface (ens1) was correctly configured by the wizard, and my network tap interface has a DHCP address.

IP Configuration

However, what is surprising is that I’m getting two default routes set. One on my management interface (correctly), and one incorrectly applied on my private network for span port traffic.

IP Route Configurations

The following code is detecting this first line as the default route, when in fact, that record is errant. Naturally, this record doesn’t reflect the gateway of my ens1 interface, and thus fails the check.

# /home/gateway-admin/SecurityOnion/setup/so-functions - line 2446
MAINIP=$(ip route get 1 | awk '{print $7;exit}')

By deleting this errant routing record, you are now able to re-run the so-setup script and it will complete successfully.

ip route delete default via dev eth0

Leave a Comment

Your email address will not be published. Required fields are marked *