Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Transparent firewall, to capture Netflow data.

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 2 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kapara
      last edited by

      I have a PIX 515E at a customer site and need to track data flow through it.  I am unable to use netflow with it and was thinking of using pfSense as a transparent firewall/Bridge (I understand how to set that up.  Read doc.) between my network and the PIX.  I would then use pflowd to push the flow data to a PC.  Unsure of how this might work.  Would using pfsense as a router instead of transparent firewall be better since traffic needs to go back out the LAN interface or should I use an OPT1 interface to somehow pass that data?

      PIX  Private (192.168.101.1) –- (192.168.101.2) Gateway(192.168.101.1) int WAN [pfsense] int LAN (192.168.101.3)

      Thanks

      Skype ID:  Marinhd

      1 Reply Last reply Reply Quote 0
      • K
        kapara
        last edited by

        Got it working.  Traffic is flowing but flow data going to an IP 10.20.30.60 does not seem accurate.  Wondering if it would be better to put a NIC (OPT1) and assign it an different subnet 10.20.40.0/24and connect a PC on it with a Netflow collector.

        Netflow collector shows traffic coming from LAN interface even though bridged with WAN.

        Skype ID:  Marinhd

        1 Reply Last reply Reply Quote 0
        • K
          kapara
          last edited by

          Some really weird statistics from pftop.  This is realtime downloading 1.5 gb file where windows is saying I am pulling down at about 473KB/Sec but pftop is showing different numbers.  the netflow data also looks completely out of whack.

          473KB/Sec = 3.8748

          tcp   In  10.20.30.60:1307      65.54.120.190:80        989K 1522K  982K 2063M  4:4  2089K  2150 86400 46
          tcp   Out 10.20.30.60:1307      65.54.120.190:80        989K 1522K  982K 2063M  4:4  2089K  2150 86400 37

          Maybe I do not understand what it means by 989K. Is netflow adding the in and out?  It makes sense since if you cut that number in half it is my actual rate.  I have to test but if ntop is attached to the LAN, I get high numbers.  If attached to WAN, it is accurate.  Anyone know how pflowd is associated with which interface?

          My DSL line is 6Mb/756Kb

          RRD graphs show correct.

          Traffic graphs are accurate.  No throughput showing for either WAN or LAN.  Maybe as a router this would work.  A bummer beacuse it would be great to be able to take a little box to a customer site and throw it in between the network and the firewall to do analysis.

          pfSense firewall and pfSense bridge RRD graphs are the same.  nTop looks accurate but would prefer to use netflow to a collector for reporting and historical analysis.

          Skype ID:  Marinhd

          1 Reply Last reply Reply Quote 0
          • K
            kapara
            last edited by

            Here are 2 shots of pftop.  Traffic graphs WAN out are off by 10 Kbps  Bridge shows 10 Kbps more than the WAN interface of the firewall.

            bridge.PNG
            bridge.PNG_thumb
            Firewall.PNG
            Firewall.PNG_thumb

            Skype ID:  Marinhd

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              I suggest using 1.2.1 for all bridging, 1.2 had some bridging related bugs that could cause strange behavior with what you're trying to do.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.