OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • Netflow to external server via IPsec
« previous next »
  • Print
Pages: [1]

Author Topic: Netflow to external server via IPsec  (Read 2197 times)

loden_richard

  • Newbie
  • *
  • Posts: 27
  • Karma: 2
    • View Profile
Netflow to external server via IPsec
« on: September 21, 2016, 03:09:47 pm »
Hi folks,

I have a problem with my current setup. I have a netflow collector installed within my network and want to send my netflow octets to this collector. Unfortunately my collector is only reachable via IPsec, so if I set the netflow configuration up to send the packets to this collector I don't see the packages on the other side of the tunnel. My opnsense host is also the connections endpoint of the IPsec tunnel.
Does someone know how to solve this issue?

Thanks Loden_Richard
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 10084
  • Karma: 762
    • View Profile
Re: Netflow to external server via IPsec
« Reply #1 on: September 21, 2016, 05:54:27 pm »
Hi Loden_Richard,

This is very likely caused by FreeBSD's behaviour of not routing traffic through IPsec not part of the security policy database. This also happens with "0.0.0.0" type server source addresses.

"-S Your.Local.IPsec.IP" before "-s 127.0.0.1" here https://github.com/opnsense/core/blob/master/src/etc/rc.d/netflow#L113

The file is under /usr/local/etc/rc.d/netflow on your OPNsense box.

Then simply restart netflow:

# service netflow restart

This is only to confirm the suspicion / get you started, but it won't survive a firmware update.


Cheers,
Franco
Logged

loden_richard

  • Newbie
  • *
  • Posts: 27
  • Karma: 2
    • View Profile
Re: Netflow to external server via IPsec
« Reply #2 on: September 22, 2016, 11:36:25 am »
Hi Franco,

thanks for your reply. I tried to change this setting, but as mentioned within the tools usage page, the '-S' flag is not going to work with an IP-address.
I tried the following on my own. I recognized, that the target address for the netflows was not pingable so I added a route to this IP through the gateway interface of the opnsense, then I was able to ping the target. But the flows were missing anyways. Is there a source of information about the routing behavior were I can read about how BSD routes traffic from the interfaces?

Thanks Loden_Richard
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 10084
  • Karma: 762
    • View Profile
Re: Netflow to external server via IPsec
« Reply #3 on: September 22, 2016, 05:25:18 pm »
Hi,

Sorry, you are right. I misread the page. I suspect the -s is what you are looking for, but then you'll have to adjust /usr/local/etc/netflow.conf to set netflow_int_destination to the same destination.

I wonder why 127.0.0.1 is hardcoded in the rc script when it has a proper config option. Maybe we can fix that...

And some routing links for general reading pleasure:

https://www.freebsd.org/doc/handbook/network-routing.html
https://forums.freebsd.org/threads/40671/#post-226838


Cheers,
Franco

PS: Question ticket here https://github.com/opnsense/core/issues/1198
« Last Edit: September 22, 2016, 05:36:44 pm by franco »
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • Netflow to external server via IPsec
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2021 All rights reserved
  • SMF 2.0.17 | SMF © 2019, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2