Pfflowd not exporting any flows
-
I am running pfSense 1.2.3-RELEASE. I installed the pfflowd package but I can not get it to export any flows. I have it configured like this:
Host: (IP address of Orion NPM + NTA server)
Port: 2055
pf rule direction restriction: any
Netflow version: 5I have Orion NTA set to receive flows from bge0 and bge1, but it never receives any netflow packets. Is there something special I have to do to make pfSense pfflowd work with Orion NTA? Whenever I go to Status -> Services section of pfSense, it has a green play icon next to pfflowd and say that it is running.
Can anyone help me with this?
-
Where is your Orion host located on your network? On the LAN side of pfSense or somewhere else? This may simply be a rules problem. Can you draw a picture of your network?
-
Orion is on the LAN side of the pfSense server. They are both on the same subnet. In the pfSense LAN firewall rules, it is a simply "allow all" or "any <-> any".
-
Which OS is installed on your Orion host (Windows, Linux, etc). At this point, I would get a network trace from the Orion host to see if you are getting any traffic from your pfSense box. On windows, install Wireshark and capture packets from your pfSense box. On Linux, get a terminal and run, "tcpdump -i <interface>".
This should show you if your Orion host can see any packets from your pfSense box.</interface>
-
Which OS is installed on your Orion host (Windows, Linux, etc). At this point, I would get a network trace from the Orion host to see if you are getting any traffic from your pfSense box. On windows, install Wireshark and capture packets from your pfSense box. On Linux, get a terminal and run, "tcpdump -i <interface>".
This should show you if your Orion host can see any packets from your pfSense box.</interface>
Well this doesn't make any sense at all. I can see Netflow v5 packets coming from my pfSense box, but it's acting like it isn't receiving anything.
-
Well this doesn't make any sense at all.
I assume you mean your results and not my reply? :)
Do you have a firewall configured on your Orion box that may be blocking the incoming data? Perhaps the Orion software needs to be configured to receive traffic explicitly from your pfSense box?
-
Well this doesn't make any sense at all.
I assume you mean your results and not my reply? :)
Do you have a firewall configured on your Orion box that may be blocking the incoming data? Perhaps the Orion software needs to be configured to receive traffic explicitly from your pfSense box?
It's a Windows Server 2003 R2 Standard Edition x32 box. There is no firewall running on it. I can see my pfSense box sending Netflow packets to it when I look in Wireshark, but Orion is acting like it isn't receiving anything from it. However, Orion is reading netflow packets from all my Cisco routers like a champ.
And yes, I was implying what I saw in Wireshark didn't make any sense to me, not your suggestion! Ops!
-
Ahh crap, I just found this on the Orion forums:
We ran into the same problem, we are getting netflow statistics from some non cisco gear on our network. In the netflow packet that gets sent out from the router to Orion it will contain a index value. This index value comes from the interface that the traffic was seen on.
For example: lets say the netflow packet looked something like this:
SrcAddr: someip
DstAddr:someip
InputInt: 5
outputint: 4
packets: 1
octests: 81
etc…On cisco devices the input int and output int are equal to the snmp interface index. I know that nprobe(a netflow colector program) will generate a pseudo random number for that input and output int. when Orion recives this it is looking for an interface index which it doesent, and cant really know about. The workaround that i have used is I create a custom interface with the index that is needed to collect the data.
Here is my list of known software that will have this issue:
nprobe
pfflowd -
wow, that sucks!
-
IDK if ur interested in using a different collector but I use Scrutinizer and it works just fine. I'm only using the free version too. It still shows me all the useful data i need to see for an unlimited number of devices.
http://www.plixer.com/products/netflow-sflow/scrutinizer-netflow-sflow.php