Emerald City / Daniel Duerr
2006-Jul-06 16:52 UTC
[netflow-tools] freebsd 6.1, pflowd, and virtual IPs
Hello, I''ve successfully deployed pflowd on my freebsd 6.1-STABLE w/PF router/firewall and have it feeding its netflows to my collector on another machine. This router/firewall does bidirectional 1:1 NAT for a bunch of dedicated servers at a colo facility, so its got a bunch of virtual IPs assigned to its outside interface in addition to its own IP. Everything is working fine between the flow generator & collector, except that all the traffic is being reported against the primary IP of the router/firewall, not the virtual IPs that the traffic were used on. Anyone know of a way to make it behave the way I''d like? I use this for traffic accounting purposes so it is critical that I have this level of detail... Thanks, Daniel
Emerald City / Daniel Duerr wrote:> Hello, > > I''ve successfully deployed pflowd on my freebsd 6.1-STABLE w/PF > router/firewall and have it feeding its netflows to my collector on > another machine. This router/firewall does bidirectional 1:1 NAT for a > bunch of dedicated servers at a colo facility, so its got a bunch of > virtual IPs assigned to its outside interface in addition to its own IP. > Everything is working fine between the flow generator & collector, > except that all the traffic is being reported against the primary IP of > the router/firewall, not the virtual IPs that the traffic were used on. > Anyone know of a way to make it behave the way I''d like? I use this > for traffic accounting purposes so it is critical that I have this level > of detail...pfflowd should report whatever is recorded in the pfsync records. Does a manual tcpdump of the pfsync interface show the correct addresses? -d
Emerald City / Daniel Duerr
2006-Jul-09 18:08 UTC
[netflow-tools] freebsd 6.1, pflowd, and virtual IPs
Hi, For some reason I keep getting core dumps when I try to "tcpdump -pni pfsync0" on my firewall. pfsync_enable="YES" is configured in my /etc/rc.conf file and pfflowd is definitely producing output to my netflow collector, its just for the single IP of the firewall itself. I ran a "pfctl -ss" to view the state table and I see a lot of lines like this: self tcp 192.168.1.140:443 <- x.x.x.40:443 <- y.y.y.y:50970 TIME_WAIT:TIME_WAIT Where the address on the left is the private IP of one of my web servers, x.x.x.40 is the public IP of that server (a virtual IP on the firewall), and y.y.y.y is the public IP of the remote connection. This particular example is pretty common for me -- a state tracking for a remote user who connected to my web server via https. My not being able to tcpdump the pfsync0 interface definitely concerns me, and may be part of a problem? Regardless, it appears my system is tracking some states to the virtual IPs. Hope this helps. Appreciate your advice, Damien. Cheers, Daniel Damien Miller wrote:> Emerald City / Daniel Duerr wrote: >> Hello, >> >> I''ve successfully deployed pflowd on my freebsd 6.1-STABLE w/PF >> router/firewall and have it feeding its netflows to my collector on >> another machine. This router/firewall does bidirectional 1:1 NAT for a >> bunch of dedicated servers at a colo facility, so its got a bunch of >> virtual IPs assigned to its outside interface in addition to its own IP. >> Everything is working fine between the flow generator & collector, >> except that all the traffic is being reported against the primary IP of >> the router/firewall, not the virtual IPs that the traffic were used on. >> Anyone know of a way to make it behave the way I''d like? I use this >> for traffic accounting purposes so it is critical that I have this level >> of detail... > > pfflowd should report whatever is recorded in the pfsync records. Does > a manual tcpdump of the pfsync interface show the correct addresses? > > -d > >-- Daniel Duerr | President | Emerald City Entertainment Group, LLC dd at emeraldcityeg.com | +1 (831) 621-1767 | www.emeraldcityeg.com