Monitor traffic to specific IP on TNSR
I'm looking if there is any way to extract traffic logs on TNSR.
In this specific case I need to monitor traffic to a specific IP, to harden what IP:s are allowed to communicate with this old and potential vulnerable device.
The best I've found so far is use IPFIX, that will give me the flows and I might be able to track source-destination IP. Problem is my monitoring tool PRTG gives me top talkers 15 minutes at a time, so generating a report over some weeks are manual labor.
I could also use a SPAN port and attach some taping device with Tcpdump or Wireshark for data collection. This feels like something that should not be needed in 2023, so I ask here before I execute that idea :)
Normally I would log the ACL to get this information, but I haven't that this is possible in TNSR.
I think capturing traffic and then analyzing with Wireshark might be your best bet here sadly.
But I am guessing a bit, not much experience with TNSR (still working on trying to get it running in my lab but it doesn't seem to run well on XCP-ng/xenserver).
Is there a reason TNSR is in use and not pfSense? I know that's far from a solution to your ask lol but if you don't need insane bandwidth throughput I'd consider just going with pfSense as it's far more capable for things like this.
You are right that it's not the normal approach using a router to do firewalling :)
In this specific case we had a migration where multiple networks were present within the same vlan.
Earlier attempts to split each network into their own vlan had failed without us finding the reason. Moving to TNSR were the closest thing to the original setup we could find.
Moving it behind a proper firewall will be a later step in the process, but I also have to support the TNSR in the meantime.
@Qwireca Totally makes sense to me!
Like I said I haven't used TNSR that much at this point, so the main thing coming to mind is the packet capture and then Wireshark idea, certainly not ideal though. I'll dig through the docs some to see if I come up with anything else and maybe try to get it running in my lab again to see if I can find an easier way to do this.
Have tried some in my labb, and it might be the best way.
IPFIX almost work, except it does not send source and destination port in the template, making the monitoring somewhat lacking.
Problem with the Wireshark idea is that I need to monitor for at least a week.
Probably not a big problem with the correct filter, but still somewhat of a workaround.
@Qwireca A weeks worth of traffic might be a pretty insane file size, I'd be worried Wireshark might crash with that much info lol, I've had 100,000 line pcaps and it'll open them but takes a bit longer than normal. You could easily be looking at millions of packets though.
@planedrop If you are looking to do this over a long period, I would rather use pmacctd (http://www.pmacct.net/) to collect stats.
It has worked very well for me in the past.
@Qwireca FYI, TNSR 23.11 release will have a bunch of IPFIX bug fixes.