Thanks again, I solved it finally. Here is the correct diagram. My problem was there was no route specified for the return path to the port mirror. Even though no packets will ever get received by the mirror, my promiscuous router" would not forward pings from the mirror port without knowing how to send them back I guess. I ended up using ebtables broute table and its BROUTING chain to "redirect" the mac addresses of incoming packets to the physical device on my machine. Interesting lesson.
Code:
SWITCH
+---------------+
| |
SOURCE <------------>|<-----+------->|<------------> RCV
| | |
+---------------+
| Mirrored port ("tap")
| (output only)
|
| +------------+
+<---->| ROUTER |<-------------> MONITOR
eth0 +------------+
Here's how to rewrite the incoming MAC addresses to match eth0. eth0 has to be bound to a bridge device even if the bridge has no other devices. This allows ebtables to hook into it.
ifconfig eth0 X.X.X.X
brctl addbr br0
brctl addif br0 eth0
ip link set br0 up (or ifconfig br0 up)
ebtables -t broute -A BROUTING -i eth0 -j redirect --redirect-target DROP
ip route add y.y.y.y dev eth0 (have to do for all expected incoming addresses/subnets)
The missing step for me was the last one.
The second to last last command "broutes" all packets to the IP stack after first modifying the incoming MAC addresses to eth0's. so we can accept them.
Interestingly, eth0 doesn't even have to be explicitly in PROMISC mode, the redirection seems to take care of it. I find this odd since I'd expect the NIC (programmed in non-promisc) would drop packets not bound for me in this case before the redirect rule can take effect.