3. Pfflowd report Netflow info with old IP Address

Pfflowd report Netflow info with old IP Address

  • T

    Hi all,

    I configured Ntop server as a netflow collector for 40+ pfsense. Pfflowd reports netflow traffic to Ntop server via openVPN connection. Everything work quite well. However, when the openVPN connection is reset and new IP Address is assigned. Pfflowd stop send flow packages back to Ntop. I used tcpdump to debug netflow traffic and found out an interesting problem: The netflow traffic source address still uses the old IP Address of OpenVPN interface instead of the new IP Address. I have to restart Pfflowd service on the pfsense to correct this error. For more information please see the output of commands that I used to debug below. Commands are run on pfsense that Pfflowd was installed.

    #ifconfig

    tun1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
           inet6 fe80::230:18ff:fea6:6034%tun1 prefixlen 64 scopeid 0xd
           inet 10.10.12.98 –> 10.10.12.97 netmask 0xffffffff
           Opened by PID 435

    #tcpdump -i tun1 -vv udp dst port 2055

    08:17:28.127720 IP (tos 0x0, ttl 64, id 21429, offset 0, flags [none], proto UDP (17), length 100) 10.10.12.170.5450 > 172.21.0.239.2055: UDP, length 72
    08:17:28.128061 IP (tos 0x0, ttl 64, id 18429, offset 0, flags [none], proto UDP (17), length 100) 10.10.12.170.5450 > 172.21.0.239.2055: UDP, length 72
    08:17:28.128093 IP (tos 0x0, ttl 64, id 51635, offset 0, flags [none], proto UDP (17), length 100) 10.10.12.170.5450 > 172.21.0.239.2055: UDP, length 72

    #restart Pfflowd service using pfsene web UI
    #tcpdump -i tun1 -vv udp dst port 2055
    07:47:20.518556 IP (tos 0x0, ttl 64, id 5784, offset 0, flags [none], proto UDP (17), length 148) 10.10.12.98.22828 > 172.21.0.239.2055: UDP, length 120
    07:47:21.959823 IP (tos 0x0, ttl 64, id 24050, offset 0, flags [none], proto UDP (17), length 148) 10.10.12.98.22828 > 172.21.0.239.2055: UDP, length 120
    07:47:23.717304 IP (tos 0x0, ttl 64, id 947, offset 0, flags [none], proto UDP (17), length 148) 10.10.12.98.22828 > 172.21.0.239.2055: UDP, length 120

    You can see that the new IP Address of OpenVPN interface is 10.10.12.98. But the follow traffic source address is 10.10.12.170 (I guess it is the previous IP). After restart Pfflowd  service, the source address is changed to 10.10.12.98 and evrything work well again.

    Any ideas to fix this problem?

    Thanks,
    Tuong</up,pointopoint,running,multicast>

    0
  • ?

    OpenVPN supports static IPs based on login/mac, why not use static IPs?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy