MAC address change on unassigned parent interfaces

[OPNenthu]

Deselect it? ("Reporting: NetFlow" -> "Listening interfaces") What am I missing?

Does yours work differently than mine?  The parents are already deselected in Netflow but they still appear in the stats.  This is even after a fresh reboot.

EDIT: I didn't notice earlier, but the WLAN_* interfaces are not even listed in the available listening interfaces list (it only has the VLAN_* ones), but somehow they are all reflected in the pie chart.  I figured this one out (error on my part).

<tangent>

I'm currently re-doing my network and experimenting with breaking out my WLANs separately from the wired ones, on different links.  Not sure how it will work out (TBD). 

</tangent>

[Patrick M. Hausen]

I do not have the parent of my VLANs assigned and it does not appear in the Netflow data that OPNsense sends to ElastiFlow.

[pfry]

[...]
Heh. I use bridges, and as I recall netflow did not count member interfaces. Although now I'm not certain... Hm. Apparently it sorta works. What the heck, I'll gather some data and see if it makes any sense.

Replying to myself: Apparently VLAN bridge member interfaces gather (some) data, and plain interface bridge members do not (when selected). And one bridge and one unidentifiable (null or cut off identifier in the graph) interface that were not selected did appear in the graphs.

At any rate, netflow still doesn't do what I want. I'm holding out for real pf logging. I'm also waiting for a giant pile of money to fall into my lap.

[Patrick M. Hausen]

I have a single LACP bundle connected to my switch infrastructure and all interfaces but WAN as VLANs on to of that. WAN is a 1G port plugged into the DSL modem.

Netflow works perfectly as expected in that configuration.

It just took me a while to find ElastiFlow as a potential candidate, then find the time to install and configure. It was clear to me from the start that I do not want to log locally on the OPNsense device.

[OPNenthu]

That was my previous setup as well: LACP parent (lagg0) with VLANs and the parent was unassigned.

Now I'm not using the lagg IF but instead have 2 separate VLAN trunks on igc2 & igc3 respectively.  Just as before, as long as the parent(s) are unassigned in OPNsense then they do not get reflected in NetFlow stats.

However- once parents are assigned & enabled (such as to spoof the MACs at the parent level), then I'm noticing that those parent IFs automatically get counted in NetFlow.  This happens even though the parents are unselected for NetFlow collection in Reporting->Netflow.  It happens even if the parents are disabled (but still assigned).  The only way to not have the parents counted is to unassign them in Interfaces->Assignments.

Kind of strange and it doesn't align with @pfry's observation, where apparently he was able to stop collection for the assigned parents simply by deselcting them in Reporting->Netflow.

[OPNenthu]

It just took me a while to find ElastiFlow as a potential candidate, then find the time to install and configure. It was clear to me from the start that I do not want to log locally on the OPNsense device.

I may look into that when I get a NAS (hopefully a new, cheaper TrueNAS Mini is coming at some point- and with AVX instruction set needed by MongoDB).  Though tbh even with Netflow collected locally, my disk usage on OPNsense has remained at 1% (of 256GB) for a very long time now and doesn't seem to grow at all.  I think Netflow is cycling data and only keeping a limited time range.  The disk space is mostly wasted in OPNsense, unless there's a setting somewhere I haven't discovered yet to extend the retention period.

[Patrick M. Hausen]

[...] doesn't seem to grow at all.  I think Netflow is cycling data and only keeping a limited time range.

Correct, but the writing itself is bound to ruin your SSD ...

[OPNenthu]

About 20 years if the trend holds...

Code Select Expand

smartctl 7.5 2025-04-30 r5714 [FreeBSD 14.3-RELEASE-p1 amd64] (local build)
Copyright (C) 2002-25, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF SMART DATA SECTION ===
SMART/Health Information (NVMe Log 0x02, NSID 0xffffffff)
Critical Warning:                   0x00
Temperature:                        42 Celsius
Available Spare:                    100%
Available Spare Threshold:          10%
Percentage Used:                    3%
Data Units Read:                    320,117 [163 GB]
Data Units Written:                 9,553,141 [4.89 TB]
Host Read Commands:                 10,942,867
Host Write Commands:                134,320,113
Controller Busy Time:               977
Power Cycles:                       110
Power On Hours:                     6,224
Unsafe Shutdowns:                   28
Media and Data Integrity Errors:    0
Error Information Log Entries:      1,286
Warning  Comp. Temperature Time:    0
Critical Comp. Temperature Time:    0
Temperature Sensor 2:               52 Celsius

That SSD was newly installed in Nov. 2024, so even rounding up the consumption rate is probably <5% per annum.  This is probably where all the spare capacity helps.

I'm assuming the decay will continue on a linear trajectory but only time will tell.  Knowing my luck I'll have a failed disk by this time next year :)