netflow tools - Jul 2006 - freebsd 6.1, pflowd, and virtual IPs

Hello,

I''ve successfully deployed pflowd on my freebsd 6.1-STABLE w/PF 
router/firewall and have it feeding its netflows to my collector on 
another machine.  This router/firewall does bidirectional 1:1 NAT for a 
bunch of dedicated servers at a colo facility, so its got a bunch of 
virtual IPs assigned to its outside interface in addition to its own IP. 
  Everything is working fine between the flow generator & collector, 
except that all the traffic is being reported against the primary IP of 
the router/firewall, not the virtual IPs that the traffic were used on. 
  Anyone know of a way to make it behave the way I''d like?  I use this 
for traffic accounting purposes so it is critical that I have this level 
of detail...

Thanks,
Daniel

Emerald City / Daniel Duerr wrote:
> Hello,
> 
> I''ve successfully deployed pflowd on my freebsd 6.1-STABLE w/PF 
> router/firewall and have it feeding its netflows to my collector on 
> another machine.  This router/firewall does bidirectional 1:1 NAT for a 
> bunch of dedicated servers at a colo facility, so its got a bunch of 
> virtual IPs assigned to its outside interface in addition to its own IP. 
>   Everything is working fine between the flow generator & collector, 
> except that all the traffic is being reported against the primary IP of 
> the router/firewall, not the virtual IPs that the traffic were used on. 
>   Anyone know of a way to make it behave the way I''d like?  I use
this
> for traffic accounting purposes so it is critical that I have this level 
> of detail...
pfflowd should report whatever is recorded in the pfsync records. Does
a manual tcpdump of the pfsync interface show the correct addresses?

-d

Hi,

For some reason I keep getting core dumps when I try to "tcpdump -pni 
pfsync0" on my firewall.  pfsync_enable="YES" is configured in my
/etc/rc.conf file and pfflowd is definitely producing output to my 
netflow collector, its just for the single IP of the firewall itself.  I 
ran a "pfctl -ss" to view the state table and I see a lot of lines
like
this:

self tcp 192.168.1.140:443 <- x.x.x.40:443 <- y.y.y.y:50970 
TIME_WAIT:TIME_WAIT

Where the address on the left is the private IP of one of my web 
servers, x.x.x.40 is the public IP of that server (a virtual IP on the 
firewall), and y.y.y.y is the public IP of the remote connection.  This 
particular example is pretty common for me -- a state tracking for a 
remote user who connected to my web server via https.

My not being able to tcpdump the pfsync0 interface definitely concerns 
me, and may be part of a problem?  Regardless, it appears my system is 
tracking some states to the virtual IPs.

Hope this helps.  Appreciate your advice, Damien.

Cheers,
Daniel

Damien Miller wrote:
> Emerald City / Daniel Duerr wrote:
>> Hello,
>>
>> I''ve successfully deployed pflowd on my freebsd 6.1-STABLE
w/PF
>> router/firewall and have it feeding its netflows to my collector on 
>> another machine.  This router/firewall does bidirectional 1:1 NAT for a
>> bunch of dedicated servers at a colo facility, so its got a bunch of 
>> virtual IPs assigned to its outside interface in addition to its own
IP.
>>   Everything is working fine between the flow generator &
collector,
>> except that all the traffic is being reported against the primary IP of
>> the router/firewall, not the virtual IPs that the traffic were used on.
>>   Anyone know of a way to make it behave the way I''d like?  I
use this
>> for traffic accounting purposes so it is critical that I have this
level
>> of detail...
> 
> pfflowd should report whatever is recorded in the pfsync records. Does
> a manual tcpdump of the pfsync interface show the correct addresses?
> 
> -d
> 
> 
-- 
Daniel Duerr | President | Emerald City Entertainment Group, LLC
dd at emeraldcityeg.com | +1 (831) 621-1767 | www.emeraldcityeg.com