OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: bobm on September 14, 2020, 02:53:49 pm

Title: How to troubleshoot Netflow?
Post by: bobm on September 14, 2020, 02:53:49 pm

Hi have netflow export setup to external IP, 192.168.1.9:2055  but I do not see any traffic in the firewall alerts going to destination port or IP (blocked or allowed). 

What's the best way to confirm that traffic is flowing or confirm that netflow is working?

Title: Re: How to troubleshoot Netflow?
Post by: sorano on September 14, 2020, 03:36:24 pm

tcpdump seems like a good start

Title: Re: How to troubleshoot Netflow?
Post by: bobm on September 14, 2020, 05:04:58 pm

tcpdump shows UDP packets sent to the flow collector. 

It concerns me that firweall shows no traffic.  What can I enable so firewall logs all of the connections?

Title: Re: How to troubleshoot Netflow?
Post by: Fright on September 14, 2020, 05:22:39 pm

try to enable logging on "let out anything from firewall host itself" rule

Title: Re: How to troubleshoot Netflow?
Post by: bobm on September 14, 2020, 10:37:38 pm

That's what baffles me - all rules that are listed in GUI, autogenerated and manual, are logging(except ivp6 as I have ipv6 blocked and turned off).  Firewall's live view has no record of traffic going to my netflow collector IP.

However, connection does show up under Firewall: Diagnostics: States Dump

Title: Re: How to troubleshoot Netflow?
Post by: Fright on September 15, 2020, 06:46:36 am

take into account the fact that pf logs only the first packet that establishes the state. you will not see all the packets (or you need to set the log (all) parameter in the rule. or you need to disable states on rule) - only the first request from the opnsense host to 192.168.1.9:2055 will be in log.
so you need to restart netflow to see the first packet from opnsense to 192.168.1.9:2055

Title: Re: How to troubleshoot Netflow?
Post by: bobm on September 17, 2020, 04:51:43 am

Thanks for the tips.  I could not find pf.conf nor I could find information on UDP state timout value in opnsense in the docs.

Only found this feature request to make it adjustable: https://github.com/opnsense/core/issues/1330

In the meantime, I re-entered all netflow info, rebooted and now Elastiflow's logstash is receiving the traffic.

Firewall live view continues to see no traffic going to port 2055 -except localhost:2055 which is interesting since insight is turned off... 

Title: Re: How to troubleshoot Netflow?
Post by: Fright on September 17, 2020, 07:47:54 am

Quote

I could not find pf.conf

in your link @AdSchellevis  already answered where the actual pf.conf lives and how to reload it )
https://github.com/opnsense/core/issues/1330#issuecomment-271151539

Quote

information on UDP state timout value in opnsense in the docs

i don't think that this is adjustable
but you can try to add floating fw-rule specifically for your needs (lan interface, out dir,  to udp 192.168.1.9:2055) and set states to "none" for this rule

may I ask why you want to see each outgoing packet?

Title: Re: How to troubleshoot Netflow?
Post by: bobm on September 17, 2020, 03:27:48 pm

Thanks.  Debug sounds like a non-production setting which I will try to avoid for now.  My concern is mostly about unknown unknowns -if I cannot see/detect this UDP stream - what else am I missing?

Internet apps are becoming more and more like malware, trying to bypass LAN for better user experience or to send telemetry to get a leg up on the competition.  I, on the other hand, want to know what is going on within my LAN  :D

Title: Re: How to troubleshoot Netflow?
Post by: Fright on September 17, 2020, 03:35:18 pm

Quote

want to know what is going on within my LAN

nothing better than sniffing on SPAN  ;)