Start Free Trial

Adding NetFlow Support to a Network with an EdgeRouter PoE

[fa icon="calendar"] Mar 1, 2016 11:00:00 AM / by Josep Sanjuas

Any router vendor worth its salt supports NetFlow (or IPFIX, or sFlow, or compatible protocols). However, in practice, sometimes NetFlow is simply not available. In our experience, this happens for two main reasons: 

  1. A consumer-grade router is installed in a small office or remote location.
  2. A suitable router that does implement NetFlow is available, but it is externally managed, and the service provider won’t enable it, because it’s out of the scope of their contract.

Either way, because of a technical limitation or otherwise, how does one go about gaining network visibility in such a scenario? In this post, we propose a simple, inexpensive solution to add NetFlow to an existing network, and send this NetFlow to Talaia‘s collector.

As explained, the goal is to cheaply add NetFlow to an existing network. As strong requirements, the solution must be affordable, production-grade stable, and technically simple so it can be deployed without requiring personnel with extensive expertise in IT.

As a side requirement, in order to appeal for scenarios like #2, where a service provider won’t help you by tuning the main exit router, we are searching for a solution that does not require reconfiguration of existing networking equipment (nor the internal hosts).

In this post, we address these goals for the SOHO (small office / home office) environment with an EdgeRouter PoE. This is a small device you can find quite cheaply online that can be configured as a transparent pass-through that nevertheless extracts and reports NetFlow to a collector. Let’s see how!

 

Overview

The solution we are going for involves setting up an EdgeRouter PoE in bridged mode, physically installed so that all the traffic that the LAN exchanges with the Internet goes through it. The following diagram graphically displays the setup we are aiming for:

edge router PoE

Note how the pre-existing router must be connected to eth1, while eth2 connects to the LAN (most likely, to a switch). Additionally, in order to configure the router easily, let’s connect a computer to eth0 with address 192.168.1.2 and netmask 255.255.255.0.

The following network diagram zooms in on the EdgeRouter:

edge router

In a nutshell, this is what we are going to do. We will connect to the administrative interface of the EdgeRouter PoE. We will then configure eth1 and eth2 in bridged mode. To do so, we will create a bridge interface br0, including interfaces eth1 and eth2. This will allow all IP addresses in either side of the EdgeRouter to talk to each other, that is, the EdgeRouter will be effectively transparent to all computers in the network.

Finally, we will give br0 an IP address so the router can communicate with other computers, and enable NetFlow reporting on the br0 interface. This setup will get the EdgeRouter to calculate the NetFlow for all the traffic that goes through the bridged interface and send it to an external collector (in this case, Network Polygraph).

Commands

First, let’s ssh into the router from the computer connected to eth0 (as explained, it must have an IP address in the range 192.168.1.0/24, e.g., 192.168.1.2) and enter configuration mode:


$ ssh ubnt@192.168.1.1
(snip)
ubnt@192.168.1.1's password: (the default password is ubnt)
Welcome to EdgeOS
Last login: (snip)
ubnt@ubnt:~$ configure
[edit]
ubnt@ubnt# 

(Note that, if the LAN addressing collides with the default configuration for eth0, which is 192.168.1.1/24, it’s best to change it and start over by ssh’ing to the new address. For example, run set interfaces ethernet eth0 address 172.16.1.1/24, then commit. Finally, change your computer’s IP address to 172.16.1.2 and ssh in with ssh ubnt@172.16.1.1.)

Let’s now configure the ports. We’ll let interfaces eth2 through eth4 switch traffic through interface switch0. (Strictly speaking, we would only need to configure eth2—check the last paragraph of this post to see why we’re configuring the other interfaces as well.) Then, let’s bridge interfaces switch0 and eth1, so that hosts in either side of the PoE can freely exchange traffic:


set interfaces bridge br0
set interfaces switch switch0 
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0

At this point, the EdgeRouter PoE is configured in transparent mode, so all computers in the network should be able to communicate normally with the router (and reach the Internet). If you wish to test that out, run command commit and check so.

Let’s now get the router to be able to communicate with the LAN and the outside world! This is important, because we need to get the NetFlow to reach your NetFlow collector (in this case, Talaia is perfect for the job – ask us for your IP address and port to export NetFlow).


# if we can get an address via DHCP:
set interfaces bridge br0 address dhcp

# otherwise (modify as necessary):
set interfaces bridge br0 address 192.168.254.253/24
set system gateway-address 192.168.254.1

At this point, the PoE should be able to talk to the Internet (hit Control+C to stop):


ubnt@ubnt# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=52 time=19.7 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=52 time=14.1 ms
64 bytes from 8.8.8.8: icmp_req=3 ttl=52 time=13.9 ms
^C
ubnt@ubnt#

If everything worked, it is now a perfect time to start your free trial of Talaia. You will receive an IP address (A.B.C.D) and port (WXYZ) that you shall use to export the NetFlow. This is how to do it:


set system flow-accounting netflow server A.B.C.D port WXYZ
set system flow-accounting version 5
set system flow-accounting timeout expiry-interval 60
set system flow-accounting timeout flow-generic 60
set system flow-accounting timeout icmp 60
set system flow-accounting timeout max-active-life 60
set system flow-accounting timeout tcp-fin 10
set system flow-accounting timeout tcp-generic 60
set system flow-accounting timeout tcp-rst 10
set system flow-accounting timeout udp 60

The configuration is now ready. Let’s apply and save the changes for the next reboot:


commit
save

Done. As a bonus, you can connect other switches or end hosts to interfaces eth3 and eth4 – since they are bridged through br0, the traffic they send to the Internet will also get reported. What you won’t get is the internal traffic exchanged across eth2, eth3 and eth4 (which is not necessarily a bad thing – most often you are only interested monitoring the Internet uplink).

Happy network monitoring!

Written by Josep Sanjuas