PFFLOWD Active Flow Timeout
Im setting up PRTG 8 and collecting netflow data from pfflowd.
One sensor setting in PRTG is called Active Flow Timeout ( in minutes)```
Enter a value larger than the one used on the device. Caution: Flow information might be lost if the defined value is too low.
Where do I find this setting in Pfflowd on a pfsense system or does anyone know the default setting. Anyone here using PRTG ? I would like too figure out the best way to setup sensors per IP that Ignore all traffic between the Lan and OPT1 interface as well. Currently I'm Trying ``` Interface[em0[/code] in the Exclude filter list.
Im currently using PRTG, but I could not get pfflowed to work, it does not seem to like ipv6 ;) So using softflowd
You set that active flow timeout on prtg, not on the pfsense side but on the netflow sensor settings - mine is set for 6 minutes and seems to be working ok.
Just wish they would hurry up and support IPv6, next release is suppose to have it - but can not even get on the beta or alpha list, etc.
I'm not doing any sort of excluding of any IPs, etc. so not going to be of any help there.
Pfflowd is sending data just fine for me.
The problem is that timeout. I have set some at 20 minutes and still get todo's with timeout errors / receiving data that's older ,,, bla bla.
Some Filters I have set are for a routers WAn IP that is behind a wireless client station in bridge mode. I wonder if I use the clients radio IP instead of the router IP behind it if these flo errors would stop.
well if your not using IPv6 then it prob works fine.
last one I saw was back on jul 11
Subject: Netflow data dropped (code: PE082)
The netflow sensor has received and dropped flows with a timestamp older than the timespan defined by the active flow timeout. Please ensure that the active flow timeout from the sensor setting matches the flow timeout set in the flow exporter device (code: PE083)
Please review all ToDos at http://192.168.1.4:8181/todos.htm
I removed pfflowd and setup Sofflowd Should it listen on the LAN or WAN interface?
well that would be up to you, but I would not listen on wan
here is my command from system
<shellcmd>softflowd -i re0 -v 9 -m 50000 -n 192.168.1.4:9996</shellcmd>
re0 is my local interface ;)
Set it up like you have listening on the Lan interface.```
softflowd -i em1 -v 5 -m 50000 -n 192.168.0.4:9997
This PF box has a static route back too MY lan where the collector is running. The lan has several AP's and clients. Some clients have there own routers in the house. They Have a Lan IP From PFsense on their WAN witch I'm monitoring. I have 2 that will show up as off line if they are not using the network, and 2 that even with a setting of 20 minutes will still pop up flow timeout errors. While others run fine with 6 minutes as you have set. I wonder If I should switch too Netflow V9 instead of V5? I'm Also messing with the filters in PRTG so It does not count ANY local traffic from LAN to OPT1 witch is the static route.``` IP[192.168.25.41] and not (DestinationIP[192.168.15.*] or SourceIP[192.168.15.*]
Switched too netflow V 9 and things seem to work better . Dropped flows have stopped and filters seem to work.
softflowd -i em1 -v 9 -m 65000 -n 192.168.0.4:9996 -t maxlife=5m ```Is the softflowd command I'm using. If I start it with out the maxlife @ 5 minutes and set sensors to expire at 6 minutes I get 5 or 6 a day dropped flow errors from PRTG. I'm using
IP[192.168.25.90] and Interface[bge0]
As an example of 1 netflow 9 sensor. The Interface filter Bge0 is the wan port. This seems to refrain from counting any traffic between the two lan ports. I also found that on the settings page for Channel Display it seems to work better when in the default stack channels independently setting. With it set on stack channels on top of each other the traffic count seemed to be less that 1/2 of what the wan interface was reporting for total traffic. So far I like the software from Paessler , PRTG network monitor takes the cake! Any comments welcome on how others set up PRTG.
I have run softflowd for just over 1 week with PRTG v8.
I have one huge problem. Data is not adding up. I see several gig of transfer on the wan interface in PFsense and only a few MB in PRTG totaling all the IP based flow sensors.
So I Killed Softflowd and reinstalled PFflowd. After 2 hours I can see the difference. The normal heavy users are back to 18,000 KByte per 5 minute interval instead of 2 or 3 KByte witch was what I was seeing before.
The Problem remains with PFFLOWD What is the flow timeout ?? OR where can I set this in PFFLOWD's config.
I have searched for it but cannot find it.
Setting the PRTG timeout too 30 minutes does not stop the flow errors.
Bump Anyone ??
Hmmm I have never looked that deep into what prtg flow sensor is reporting, when I get a chance will see if they match up or not. Possible your just not counting the type of traffic that is happening?
I run bandwidthd on my pfsense as well, so I got that counting each Ips bandwidth.
Maybe you could install ntop right on the pfsense box to watch for your top talkers, etc.
With the following run command:
/usr/local/sbin/pfflowd -n 172.16.42.104:9991 -S in -v 9
The active flow timeout that needs to be set in PRTG is 11 minutes.
Note, if you're utilizing VLANs and a single network interface like us then pfflowd will not correctly identify the source/destination vlan and you need to explicitly set the direction as either "in" or "out" for PRTG to not double count data.