OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: loden_richard on September 21, 2016, 03:09:47 pm

Title: Netflow to external server via IPsec
Post by: loden_richard on September 21, 2016, 03:09:47 pm

Hi folks,

I have a problem with my current setup. I have a netflow collector installed within my network and want to send my netflow octets to this collector. Unfortunately my collector is only reachable via IPsec, so if I set the netflow configuration up to send the packets to this collector I don't see the packages on the other side of the tunnel. My opnsense host is also the connections endpoint of the IPsec tunnel.
Does someone know how to solve this issue?

Thanks Loden_Richard

Title: Re: Netflow to external server via IPsec
Post by: franco on September 21, 2016, 05:54:27 pm

Hi Loden_Richard,

This is very likely caused by FreeBSD's behaviour of not routing traffic through IPsec not part of the security policy database. This also happens with "0.0.0.0" type server source addresses.

"-S Your.Local.IPsec.IP" before "-s 127.0.0.1" here https://github.com/opnsense/core/blob/master/src/etc/rc.d/netflow#L113

The file is under /usr/local/etc/rc.d/netflow on your OPNsense box.

Then simply restart netflow:

# service netflow restart

This is only to confirm the suspicion / get you started, but it won't survive a firmware update.


Cheers,
Franco

Title: Re: Netflow to external server via IPsec
Post by: loden_richard on September 22, 2016, 11:36:25 am

Hi Franco,

thanks for your reply. I tried to change this setting, but as mentioned within the tools usage page, the '-S' flag is not going to work with an IP-address.
I tried the following on my own. I recognized, that the target address for the netflows was not pingable so I added a route to this IP through the gateway interface of the opnsense, then I was able to ping the target. But the flows were missing anyways. Is there a source of information about the routing behavior were I can read about how BSD routes traffic from the interfaces?

Thanks Loden_Richard

Title: Re: Netflow to external server via IPsec
Post by: franco on September 22, 2016, 05:25:18 pm

Hi,

Sorry, you are right. I misread the page. I suspect the -s is what you are looking for, but then you'll have to adjust /usr/local/etc/netflow.conf to set netflow_int_destination to the same destination.

I wonder why 127.0.0.1 is hardcoded in the rc script when it has a proper config option. Maybe we can fix that...

And some routing links for general reading pleasure:

https://www.freebsd.org/doc/handbook/network-routing.html
https://forums.freebsd.org/threads/40671/#post-226838


Cheers,
Franco

PS: Question ticket here https://github.com/opnsense/core/issues/1198