I enabled flow-accounting with enable-egress. I have a remote collector from Kentik. There are no egress flows. Only ingress. Is there something else I need to enable?
flow-accounting {
enable-egress
interface eth0
interface eth1
interface eth1.2
netflow {
engine-id 100
server 10.0.3.3 {
port 9995
}
version 10
}
syslog-facility all
}
Just for comparison, I have a ovs switch that sends ipfix to the same collector, and does indeed show ingress and egress.
Thanks.
Does host 10.0.3.3 not receive this traffic?
10.0.3.3 does receive the flows. It’s just every single one says ingress. No matter if I’m uploading or downloading data. Maybe that’s how router interfaces are supposed to work? I setup netflow on the OVS switch that the router is connected through, and it does show ingress/egress traffic.
If this is VyOS 1.4, could you check counters in the output of sudo nft list chain inet mangle FORWARD?
vyos@vyos:~$ sudo nft list chain inet mangle FORWARD
table inet mangle {
chain FORWARD {
type filter hook forward priority mangle; policy accept;
oifname "eth1.2" counter packets 3209 bytes 1973536 log group 2 snaplen 128 queue-threshold 100 comment "FLOW_ACCOUNTING_RULE"
oifname "eth1" counter packets 4829 bytes 1497712 log group 2 snaplen 128 queue-threshold 100 comment "FLOW_ACCOUNTING_RULE"
oifname "eth0" counter packets 8368 bytes 1153494 log group 2 snaplen 128 queue-threshold 100 comment "FLOW_ACCOUNTING_RULE"
}
}
Thanks!
Now I got what you mean.
Both ingress and egress flows from the interfaces are exported. However, flows sensor cannot determine traffic direction and it marks all the flows as ingress.
If you do need to have a direction (RFC 5102: Information Model for IP Flow Information Export) filled out, please create a feature request on the https://phabricator.vyos.net/. This is possible but requires some internal work to be done.
Ok, so they are not marked it sounds like. Thank you for the info. Glad to know it wasn’t something wrong on my end.