Hi have netflow export setup to external IP, 192.168.1.9:2055 but I do not see any traffic in the firewall alerts going to destination port or IP (blocked or allowed).
What's the best way to confirm that traffic is flowing or confirm that netflow is working?
tcpdump seems like a good start
tcpdump shows UDP packets sent to the flow collector.
It concerns me that firweall shows no traffic. What can I enable so firewall logs all of the connections?
try to enable logging on "let out anything from firewall host itself" rule
That's what baffles me - all rules that are listed in GUI, autogenerated and manual, are logging(except ivp6 as I have ipv6 blocked and turned off). Firewall's live view has no record of traffic going to my netflow collector IP.
However, connection does show up under Firewall: Diagnostics: States Dump
take into account the fact that pf logs only the first packet that establishes the state. you will not see all the packets (or you need to set the log (all) parameter in the rule. or you need to disable states on rule) - only the first request from the opnsense host to 192.168.1.9:2055 will be in log.
so you need to restart netflow to see the first packet from opnsense to 192.168.1.9:2055
Thanks for the tips. I could not find pf.conf nor I could find information on UDP state timout value in opnsense in the docs.
Only found this feature request to make it adjustable: https://github.com/opnsense/core/issues/1330
In the meantime, I re-entered all netflow info, rebooted and now Elastiflow's logstash is receiving the traffic.
Firewall live view continues to see no traffic going to port 2055 -except localhost:2055 which is interesting since insight is turned off...
QuoteI could not find pf.conf
in your link @AdSchellevis already answered where the actual pf.conf lives and how to reload it )
https://github.com/opnsense/core/issues/1330#issuecomment-271151539
Quoteinformation on UDP state timout value in opnsense in the docs
i don't think that this is adjustable
but you can try to add floating fw-rule specifically for your needs (lan interface, out dir, to udp 192.168.1.9:2055) and set states to "none" for this rule
may I ask why you want to see each outgoing packet?
Thanks. Debug sounds like a non-production setting which I will try to avoid for now. My concern is mostly about unknown unknowns -if I cannot see/detect this UDP stream - what else am I missing?
Internet apps are becoming more and more like malware, trying to bypass LAN for better user experience or to send telemetry to get a leg up on the competition. I, on the other hand, want to know what is going on within my LAN :D
Quotewant to know what is going on within my LAN
nothing better than sniffing on SPAN ;)