Softflowd and PRTG monitor



  • Hi guys,

    I've been playing with netflow v9 and my cisco devices are working fine exporting data to PRTG, which is a monitoring system I use. For some reason the softflowd doesn't report properly to PRTG and the readings are erratic. I can't get bandwidth usage for example and a few other metrics. I've spoken to PRTG support and they are having the same problem on their end with pfSense.

    As I got the cisco routers working perfectly fine with PRTG I would assume the only problem in this must be pfsense/softflowd.

    Do you guys have any experience exporting netflow data to PRTG?

    Thanks!



  • choose Netflow 5 from prtg a



  • I am using both pfSense and PRTG for a while now and I was trying back and forth with various packages but it looks like there is no "proper" sflow/netflow solution that really works for pfSense.
    All of them have their advantages and disadvantages so I stopped using it on pfSense and bought cheap ZyXEL switches that I placed between pfSense and the network and they deal pretty well with sflow (with one exception: when the switches loose power then sflow needs to be started manually on the switch).

    For pfSense the one that best worked for me (but really far from good/perfect) was the softflowd package.

    On PRTG side:
    Netflow V9 Custom

    • Put in port (I found sometimes some ports don't work, I used 9991 UDP) and IP address of the pfsense interface that will send the flow packages
    • Sampling mode off
    • Active flow timeout: 1 minute

    On the pfSense side (softflowd):

    • Choose only ONE interface (I also used multiple but I had to modify the softflow package code so it sends on a different port for each IF, I added an automatic increment of 1 for the port number for each extra interface)
    • Put in port and IP of PRTG
    • Adjust max flows and hop limit to your needs
    • Neflow version 9, tracking level full
    • For the timeout put in 59 seconds for all options

    Main limitations:

    • Sometimes the flows exceed the 59 seconds which will throw an error message on PRTG
    • It properly works only with one IF. If you have multiple internal IFs then you have to monitor the WAN IF but you loose track of the internal IP addresses since in most cases NAT will happen. Also I believe softflowd captures the traffic on the WAN if in promiscous mode which can be a security risk if there are bugs in the softflowd.

    Hope that helps a bit…



  • Hi there,

    thanks for your time helping me with this.

    Still the live graph is not storing proper bandwidth usage.

    When I go to top connections I can see it is storing the data somehow, very weird! Check the attached screenshots






  • Since the data is showing up correctly in PRTG I would suggest it's up to Paessler to see why the live Graphs don't work properly.
    Not sure if I had the same issue when I was using softflowd. Can't remember to be honest.

    To be sure you can use the netflow/sflow tester from Paessler to see if the generated output is correct (in terms of "according to standards") and you can also capture the packets leaving pfSense using the "Diagnostics" -> "Packet capture" and analyze the results with wireshark.



  • @ConfusedUser:

    Since the data is showing up correctly in PRTG I would suggest it's up to Paessler to see why the live Graphs don't work properly.
    Not sure if I had the same issue when I was using softflowd. Can't remember to be honest.

    To be sure you can use the netflow/sflow tester from Paessler to see if the generated output is correct (in terms of "according to standards") and you can also capture the packets leaving pfSense using the "Diagnostics" -> "Packet capture" and analyze the results with wireshark.

    I'll give it a shot now and see how it goes , thanks!



  • I can start a new thread if needed but I am trying to do the same thing. I would like to know how to see if netflow data is being sent. Where in pfSense could I verify this.

    Background:
    I have followed the above settings in this thread, but prtg is saying "No data since startup"

    I am running pfsense in an AWS VPC, and I am guessing the data isn't making it to prtg, so I just want to start at the source and see if I can find where it's getting stopped up.



  • @matthewmdn:

    I can start a new thread if needed but I am trying to do the same thing. I would like to know how to see if netflow data is being sent. Where in pfSense could I verify this.

    Background:
    I have followed the above settings in this thread, but prtg is saying "No data since startup"

    I am running pfsense in an AWS VPC, and I am guessing the data isn't making it to prtg, so I just want to start at the source and see if I can find where it's getting stopped up.

    I ended up giving up, I can get all my cisco routers and watchguard firewalls to work well with PRTG netflow, just pfsense doesn't.

    I contacted PRTG support but they can't help as pfsense is exporting wrong data to PRTG.

    pretty much helpless!


Log in to reply