PfSense as netflow exporter only

  • Hi,
    New to pfSense - using latest stable version 2.2.5, and finding my way around. In a nutshell, what I'd like to build is a laptop that I can put on to a mirror port of our WAN interface that will send netflow data to Solarwinds NTA etc. This would only have one interface, but as it's on the mirror port it would be able to see all traffic and export details/flows through softflowd.

    I've had an initial attempt with some success however the only traffic flows that are being exported are traffic to/from the pfSense box itself and broadcast traffic. My next step will be to place a device running Wireshark on the mirror port to confirm that all traffic is being reflected to that port but I wondered if I'm going about this the wrong way as the traffic does not pass 'through' the pfSense box. Is it even possible?

    I cannot export netflow data from my WAN firewall as it is a Watchguard device that does not have that feature. I also, for now, cannot put the pfSense into the traffic path fully as it's a production network that I can't experiment on to that degree.

    If I can get this working then eventually I'd like to roll it out to our 270 sites on pfSense appliances, but I need to prove the concept to management first.

    Any suggestions would be most welcome.

    Very poor quality sketch attached…


  • What you've drawn will allow you to potentially monitor traffic to/from the WAN and if that's what you need to see it can be made to work.

    If you're trying to monitor LAN-LAN traffic, you need another mirror port on the LAN switch, which could go to another interface on your pfSense box to give internal tracking capabilities.

    Whether or not a laptop based pfSense "add-on" is the best approach vs a dedicated FreeBSD/Linux/Distro box running the flow exporter you need is probably open for debate.

    My first gut reaction to your diagram (if I understand it correctly) is "why are they using a WatchGuard firewall for anything?, Eeeeeew".

    I'd be inclined to try and replace that piece directly with a pfSense box but, hey, that's just me.
    There may be any number of business reasons I don't understand for that setup.

  • Thanks for the reply.

    Unfortunately I'm stuck with the WatchGuards, due to a decision made before I joined the organisation that means we have over a hundred of them in storage waiting to be deployed - we also have a hundred or so already out there so the strategy's not going to change any time soon! The largest WatchGuard VPN deployment in the world according to their support guys…

    Yes, I'd like to monitor WAN traffic to send to out Solarwinds NTA. I hear what you're saying about a dedicated FreeBSD/Linux/Distro box running the flow exporter but I have to confess I wouldn't have a clue where to start with that. I was introduced to pfSense by a colleague and it looked like may do just what I need for now without any in depth Linux etc knowledge and possibly in the future as a replacement (using hardware appliances) for the WatchGuards as you suggest.

    Something that could complicate it later is that the Watchguards run IPSec tunnels back to our DC so any tunnelled WAN traffic will just show up as ESP rather than meaningful IP endpoints but that can probably be addressed by moving the mirror port to the LAN interface of the WG then. Not all traffic is tunnelled though so I should still see some traffic other than ESP going via the WAN.

    Hopefully that makes sense - I'll try to do a better job on any further 'diagrams'!


  • The largest WatchGuard VPN deployment in the world according to their support guys…

    You have my deepest condolences  ;)

    What you've described is definitely doable, and worth at least a pilot to prove your abilities.

  • Your kind words are appreciated, we have even proved to them that the advertised 7000 tunnelled subnets limit is actually more like 5800…

    So... if it's doable then where do you think I'm going wrong as the pfSense is only exporting its own traffic and broadcast traffic to the netflow collector. Mirror port is definitely working properly as I wiresharked it today and can see everybody's traffic on the port.

    I haven't done much in the way of config on pfSense beyond installing and configuring softflowd and setting up the WAN interface, is there a way to dump the config so you can see what I've done?

    I have a vision of a network full of pfSense appliances and nothing bright red in sight!


  • Unfortunately, I'm definitely not the softflowd expert around here (or probably any other kind of expert either).

    With what you've described, I would expect you to set up pfSense with an Allow Any-Any rule on it's WAN interface to allow everything it sees to pass on (do you have another Virtual interface for the WAN to pass to?).

    My guess would be that you want pfSense to think that anything it sees on the mirror it's connected to is its "own" traffic.
    Perhaps more knowledgeable souls will chime in…...

  • Softflowd does not send netflow v5 or v9 that NTA will understand.
    This is because in all netflow packages, both Interface Indexes = 0 in exported flows:

    By forcing the traffic to be shown as you probably have done in NTA, you are only seeing what the NTA can decipher from SNMP data.
    Unfortunately, doing so excludes all traffic not originating from the router and multicast, as you have seen.

    NTA is extremely picky about netflow.
    The only netflow that I have been able to get working reliably with NTA on pfsense is Pfflowd.
    Unfortunately, on recent PfSense versions, this no longer works:

Log in to reply