Any router vendor worth its salt supports NetFlow (or IPFIX, or sFlow, or compatible protocols). However, in practice, sometimes NetFlow is simply not available. In our experience, this happens for two main reasons:
- A consumer-grade router is installed in a small office or remote location.
- A suitable router that does implement NetFlow is available, but it is externally managed, and the service provider won’t enable it, because it’s out of the scope of their contract.
Either way, because of a technical limitation or otherwise, how does one go about gaining network visibility in such a scenario? In this post, we propose a simple, inexpensive solution to add NetFlow to an existing network, and send this NetFlow to Talaia‘s collector.
As explained, the goal is to cheaply add NetFlow to an existing network. As strong requirements, the solution must be affordable, production-grade stable, and technically simple so it can be deployed without requiring personnel with extensive expertise in IT.
As a side requirement, in order to appeal for scenarios like #2, where a service provider won’t help you by tuning the main exit router, we are searching for a solution that does not require reconfiguration of existing networking equipment (nor the internal hosts).
In this post, we address these goals for the SOHO (small office / home office) environment with an EdgeRouter PoE. This is a small device you can find quite cheaply online that can be configured as a transparent pass-through that nevertheless extracts and reports NetFlow to a collector. Let’s see how!
The solution we are going for involves setting up an EdgeRouter PoE in bridged mode, physically installed so that all the traffic that the LAN exchanges with the Internet goes through it. The following diagram graphically displays the setup we are aiming for:
Note how the pre-existing router must be connected to
eth2 connects to the LAN (most likely, to a switch). Additionally, in order to configure the router easily, let’s connect a computer to
eth0 with address
192.168.1.2 and netmask
The following network diagram zooms in on the EdgeRouter:
In a nutshell, this is what we are going to do. We will connect to the administrative interface of the EdgeRouter PoE. We will then configure
eth2 in bridged mode. To do so, we will create a bridge interface
br0, including interfaces
eth2. This will allow all IP addresses in either side of the EdgeRouter to talk to each other, that is, the EdgeRouter will be effectively transparent to all computers in the network.
Finally, we will give
br0 an IP address so the router can communicate with other computers, and enable NetFlow reporting on the
br0 interface. This setup will get the EdgeRouter to calculate the NetFlow for all the traffic that goes through the bridged interface and send it to an external collector (in this case, Network Polygraph).
First, let’s ssh into the router from the computer connected to
eth0 (as explained, it must have an IP address in the range
192.168.1.2) and enter configuration mode:
$ ssh email@example.com (snip) firstname.lastname@example.org's password: (the default password is ubnt) Welcome to EdgeOS Last login: (snip) ubnt@ubnt:~$ configure  ubnt@ubnt#
(Note that, if the LAN addressing collides with the default configuration for eth0, which is 192.168.1.1/24, it’s best to change it and start over by ssh’ing to the new address. For example, run
set interfaces ethernet eth0 address 172.16.1.1/24, then
commit. Finally, change your computer’s IP address to
172.16.1.2 and ssh in with
Let’s now configure the ports. We’ll let interfaces
eth4 switch traffic through interface
switch0. (Strictly speaking, we would only need to configure
eth2—check the last paragraph of this post to see why we’re configuring the other interfaces as well.) Then, let’s bridge interfaces
eth1, so that hosts in either side of the PoE can freely exchange traffic:
set interfaces bridge br0 set interfaces switch switch0 set interfaces switch switch0 switch-port interface eth2 set interfaces switch switch0 switch-port interface eth3 set interfaces switch switch0 switch-port interface eth4 set interfaces switch switch0 bridge-group bridge br0 set interfaces ethernet eth1 bridge-group bridge br0
At this point, the EdgeRouter PoE is configured in transparent mode, so all computers in the network should be able to communicate normally with the router (and reach the Internet). If you wish to test that out, run command
commit and check so.
Let’s now get the router to be able to communicate with the LAN and the outside world! This is important, because we need to get the NetFlow to reach your NetFlow collector (in this case, Talaia is perfect for the job – ask us for your IP address and port to export NetFlow).
# if we can get an address via DHCP: set interfaces bridge br0 address dhcp # otherwise (modify as necessary): set interfaces bridge br0 address 192.168.254.253/24 set system gateway-address 192.168.254.1
At this point, the PoE should be able to talk to the Internet (hit Control+C to stop):
ubnt@ubnt# ping 18.104.22.168 PING 22.214.171.124 (126.96.36.199) 56(84) bytes of data. 64 bytes from 188.8.131.52: icmp_req=1 ttl=52 time=19.7 ms 64 bytes from 184.108.40.206: icmp_req=2 ttl=52 time=14.1 ms 64 bytes from 220.127.116.11: icmp_req=3 ttl=52 time=13.9 ms ^C ubnt@ubnt#
If everything worked, it is now a perfect time to start your free trial of Talaia. You will receive an IP address (A.B.C.D) and port (WXYZ) that you shall use to export the NetFlow. This is how to do it:
set system flow-accounting netflow server A.B.C.D port WXYZ set system flow-accounting version 5 set system flow-accounting timeout expiry-interval 60 set system flow-accounting timeout flow-generic 60 set system flow-accounting timeout icmp 60 set system flow-accounting timeout max-active-life 60 set system flow-accounting timeout tcp-fin 10 set system flow-accounting timeout tcp-generic 60 set system flow-accounting timeout tcp-rst 10 set system flow-accounting timeout udp 60
The configuration is now ready. Let’s apply and save the changes for the next reboot:
Done. As a bonus, you can connect other switches or end hosts to interfaces
eth4 – since they are bridged through
br0, the traffic they send to the Internet will also get reported. What you won’t get is the internal traffic exchanged across
eth4 (which is not necessarily a bad thing – most often you are only interested monitoring the Internet uplink).
Happy network monitoring!