Canot make Solarwinds Real-Time NetFlow Analyzer and pfsense netflow to work

Snailkhan

Hi,

i enabled netflow on pfsense and installed solarwinds netflow realtime analyzer to get a feel of pfsense netflow cababilites.
my configs are given in below screen shots for both pfsense and realtime netflow analyzer.

i get the error as shown in last picture.
i am selecting correct interfaces. tried on all possible interfaces ..
http://www.solarwinds.com/products/freetools/netflow-analyzer.aspx

i followed this guide
http://hubpages.com/technology/How-to-Export-Netflow-Data-from-pfSense-using-pfflowd

TedStriker

Interesting, I can't help but I am experiencing the exact same problem. Can see the pfSense device in the Solarwinds page but not showing any Flow Type.

I tried ManageEngine's NetFlow Analyzer and that worked fine but I'd like to use the Solarwinds tool as it's so lightweight.

Snailkhan

@TedStriker:

Interesting, I can't help but I am experiencing the exact same problem. Can see the pfSense device in the Solarwinds page but not showing any Flow Type.

I tried ManageEngine's NetFlow Analyzer and that worked fine but I'd like to use the Solarwinds tool as it's so lightweight.

cent persent we are in the same boat.

besides i also tried wireshark on nms machine running solarwind to see if it was seeing any  netflow packets .. and it was seeing it ..

i red below

https://thwack.solarwinds.com/thread/31006

I have a similar problem to the one shown here.  We have a network of 3750 switches that won't do NetFlow, so we set up SPAN ports and pushed the traffic to a Linux box.  The Linux box is using SoftFlowd to format the NetFlow stream and send it to my Orion NTA server.  When I run a WireShark capture, I get something similar to what you see above - the source/destination IPs and ports are coming through, but the InputInt and OutputInt and ToS show zero.

I'm definitely getting a steady stream of NetFlow data from the Linux box, but NTA doesn't appear to be accepting or processing any of it.  Has anyone else run into this situation, and can you suggest a fix?

Thanks.

and when i looked into pdu of netflow packet generated by pfsense i could see that the source/destination IPs and ports are coming through, but the InputInt and OutputInt and ToS show zero. are zero in my case as well ..

so it seems the implementation of netflow in pfsense is not compatible with solarwinds..

however pfflow as per article i quoted seems to be working ..

any idea which versino of pfsense stopped shipping with pfflow so we can test it with our solarwind in  a vm ?

doktornotor

Solarwinds? Considered using something else? I mean, the idiot who cannot understand what "needed" means, calls himself a "Solarwinds Head Geek, M.S., MCITP:EA, MCDBA, MCSA, MVP" would seem like a damn good reason to not touch their products even with a 10ft pole.

Snailkhan

anyhelp ?
i need to make it work with netflow.

TedStriker

I have also tried running softflowd on a ubuntu box with no pfsense etc and get the same result. Wiresharking does indeed show the interface numbers to be set to zero.

Apparently pfflow does it properly so I'm going to look into using that with openBSD

This is part of a packet from softflowd showing the zero interfaces

pdu 1/7
    SrcAddr: 172.31.6.120
    DstAddr: 172.18.140.43
    NextHop: 0.0.0.0
    InputInt: 0
    OutputInt: 0
    Packets: 11
    Octets: 7944
    [Duration: 29.514000000 seconds]
    SrcPort: 389
    DstPort: 55995
    Padding: 00
    TCP Flags: 0x1e
    Protocol: TCP (6)
    IP ToS: 0x00
    SrcAS: 0
    DstAS: 0
    SrcMask: 0 (prefix: 172.31.6.120/32)
    DstMask: 0 (prefix: 172.18.140.43/32)
    Padding: 0000

Snailkhan

i cannot find pfflow in packages.

TedStriker

I don't think pfflow is available on pfsense any more. I read a few days ago about a patch someone had created to fix the bug, but can't find it again!

I used Manage Engine Netflow Analyzer trial and that was ok with the softflowd output, looks like Solarwinds is just a bit fussier.

Pfflowd is available on OpenBSD so you could build a dedicated box just for that but it's a bit of a faff for what should be a simple process.

Snailkhan

hi
is it resolved in the latest incarnation of pfsense ?

jvodan

The following patch is suppose to fix the issue for softflowd
https://github.com/pwarren/softflowd/issues/3

Oh well now I need to work out how to compile for a pfsense target

Snailkhan

@jvodan:

The following patch is suppose to fix the issue for softflowd
https://github.com/pwarren/softflowd/issues/3

Oh well now I need to work out how to compile for a pfsense target

I hope someone more knowledgeable then us do it.

Snailkhan

any idea if this is resolved ?

jimp

If you have a manged switch that supports netflow, you could make the switch(es) export flows to Solarwinds instead of the firewall itself.

Snailkhan

@jimp:

If you have a manged switch that supports netflow, you could make the switch(es) export flows to Solarwinds instead of the firewall itself.

as this is a small network between few neighbours so no managed switch only 15-20 clients from one uplink .

i had earlier cisco 1841 which was working fine with this free solarwind tool for troubleshooting network performance on need basis.

any chance if it will be fixed in pfsense ?

antonylogicmonitor

I will hazard a guess:

The PFSense netflow output does not include the OUTPUT_SNMP field.

This is not a mandatory field but without it, netflow data reporting can be… less than 100% accurate.

The same is true (i.e. the same field is absent) on certain Meraki devices - see the very bottom of this page:
https://documentation.meraki.com/MX-Z/Monitoring_and_Reporting/NetFlow_Overview

"SolarWinds NTA ignores NetFlow packets that do not contain either an SNMP ingress or egress interface index" - although that page says MX models do include this, plenty of other Meraki devices don't, meaning that their netflow data is discarded by SolarWinds.

I have recently checked the netflow output from a PFSense device and the OUTPUT_SNMP field was absent from that data. I suspect that this is why the OP is not seeing traffic within SolarWinds.

TedStriker

@antony@logicmonitor:

I will hazard a guess:

The PFSense netflow output does not include the OUTPUT_SNMP field.

This is not a mandatory field but without it, netflow data reporting can be… less than 100% accurate.

The same is true (i.e. the same field is absent) on certain Meraki devices - see the very bottom of this page:
https://documentation.meraki.com/MX-Z/Monitoring_and_Reporting/NetFlow_Overview

"SolarWinds NTA ignores NetFlow packets that do not contain either an SNMP ingress or egress interface index" - although that page says MX models do include this, plenty of other Meraki devices don't, meaning that their netflow data is discarded by SolarWinds.

I have recently checked the netflow output from a PFSense device and the OUTPUT_SNMP field was absent from that data. I suspect that this is why the OP is not seeing traffic within SolarWinds.

Yes, that is the problem and a patch has been referenced above - not sure anyone knows how to apply the patch though!

Snailkhan

I wish it to be applied in pfsense softflowd.. Or will it just remain a wish?  :'(