Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
Netflow to external server via IPsec
« previous
next »
Print
Pages: [
1
]
Author
Topic: Netflow to external server via IPsec (Read 6618 times)
loden_richard
Newbie
Posts: 27
Karma: 2
Netflow to external server via IPsec
«
on:
September 21, 2016, 03:09:47 pm »
Hi folks,
I have a problem with my current setup. I have a netflow collector installed within my network and want to send my netflow octets to this collector. Unfortunately my collector is only reachable via IPsec, so if I set the netflow configuration up to send the packets to this collector I don't see the packages on the other side of the tunnel. My opnsense host is also the connections endpoint of the IPsec tunnel.
Does someone know how to solve this issue?
Thanks Loden_Richard
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: Netflow to external server via IPsec
«
Reply #1 on:
September 21, 2016, 05:54:27 pm »
Hi Loden_Richard,
This is very likely caused by FreeBSD's behaviour of not routing traffic through IPsec not part of the security policy database. This also happens with "0.0.0.0" type server source addresses.
"-S Your.Local.IPsec.IP" before "-s 127.0.0.1" here
https://github.com/opnsense/core/blob/master/src/etc/rc.d/netflow#L113
The file is under /usr/local/etc/rc.d/netflow on your OPNsense box.
Then simply restart netflow:
# service netflow restart
This is only to confirm the suspicion / get you started, but it won't survive a firmware update.
Cheers,
Franco
Logged
loden_richard
Newbie
Posts: 27
Karma: 2
Re: Netflow to external server via IPsec
«
Reply #2 on:
September 22, 2016, 11:36:25 am »
Hi Franco,
thanks for your reply. I tried to change this setting, but as mentioned within the tools usage page, the '-S' flag is not going to work with an IP-address.
I tried the following on my own. I recognized, that the target address for the netflows was not pingable so I added a route to this IP through the gateway interface of the opnsense, then I was able to ping the target. But the flows were missing anyways. Is there a source of information about the routing behavior were I can read about how BSD routes traffic from the interfaces?
Thanks Loden_Richard
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: Netflow to external server via IPsec
«
Reply #3 on:
September 22, 2016, 05:25:18 pm »
Hi,
Sorry, you are right. I misread the page. I suspect the -s is what you are looking for, but then you'll have to adjust /usr/local/etc/netflow.conf to set netflow_int_destination to the same destination.
I wonder why 127.0.0.1 is hardcoded in the rc script when it has a proper config option. Maybe we can fix that...
And some routing links for general reading pleasure:
https://www.freebsd.org/doc/handbook/network-routing.html
https://forums.freebsd.org/threads/40671/#post-226838
Cheers,
Franco
PS: Question ticket here
https://github.com/opnsense/core/issues/1198
«
Last Edit: September 22, 2016, 05:36:44 pm by franco
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
Netflow to external server via IPsec