How to troubleshoot Netflow?

Started by bobm, September 14, 2020, 02:53:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 14, 2020, 02:53:49 PM
Hi have netflow export setup to external IP, 192.168.1.9:2055  but I do not see any traffic in the firewall alerts going to destination port or IP (blocked or allowed). 

What's the best way to confirm that traffic is flowing or confirm that netflow is working?
September 14, 2020, 03:36:24 PM #1
tcpdump seems like a good start
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
September 14, 2020, 05:04:58 PM #2
tcpdump shows UDP packets sent to the flow collector. 

It concerns me that firweall shows no traffic.  What can I enable so firewall logs all of the connections?
September 14, 2020, 05:22:39 PM #3
try to enable logging on "let out anything from firewall host itself" rule
September 14, 2020, 10:37:38 PM #4
That's what baffles me - all rules that are listed in GUI, autogenerated and manual, are logging(except ivp6 as I have ipv6 blocked and turned off).  Firewall's live view has no record of traffic going to my netflow collector IP.

However, connection does show up under Firewall: Diagnostics: States Dump
September 15, 2020, 06:46:36 AM #5 Last Edit: September 15, 2020, 07:23:50 AM by Fright
take into account the fact that pf logs only the first packet that establishes the state. you will not see all the packets (or you need to set the log (all) parameter in the rule. or you need to disable states on rule) - only the first request from the opnsense host to 192.168.1.9:2055 will be in log.
so you need to restart netflow to see the first packet from opnsense to 192.168.1.9:2055
September 17, 2020, 04:51:43 AM #6 Last Edit: September 17, 2020, 04:56:46 AM by bobm
Thanks for the tips.  I could not find pf.conf nor I could find information on UDP state timout value in opnsense in the docs.

Only found this feature request to make it adjustable: https://github.com/opnsense/core/issues/1330

In the meantime, I re-entered all netflow info, rebooted and now Elastiflow's logstash is receiving the traffic.

Firewall live view continues to see no traffic going to port 2055 -except localhost:2055 which is interesting since insight is turned off... 
September 17, 2020, 07:47:54 AM #7
QuoteI could not find pf.conf
in your link @AdSchellevis  already answered where the actual pf.conf lives and how to reload it )
https://github.com/opnsense/core/issues/1330#issuecomment-271151539
Quoteinformation on UDP state timout value in opnsense in the docs
i don't think that this is adjustable
but you can try to add floating fw-rule specifically for your needs (lan interface, out dir,  to udp 192.168.1.9:2055) and set states to "none" for this rule

may I ask why you want to see each outgoing packet?
September 17, 2020, 03:27:48 PM #8
Thanks.  Debug sounds like a non-production setting which I will try to avoid for now.  My concern is mostly about unknown unknowns -if I cannot see/detect this UDP stream - what else am I missing?

Internet apps are becoming more and more like malware, trying to bypass LAN for better user experience or to send telemetry to get a leg up on the competition.  I, on the other hand, want to know what is going on within my LAN  :D

September 17, 2020, 03:35:18 PM #9
Quotewant to know what is going on within my LAN
nothing better than sniffing on SPAN  ;)
Print
Go Up Pages1
User actions