Netflow and traffic counting for hosts behind the NAT


A short story.
I have such prerequisites:

  • VyOS 1.1.8 with netflow v5 enabled on the two p2p external ifaces connected to two ISPs, and one dmz iface connected to our public network - 92.255.xx.0/24
  • VyOS also has two interfaces connected to our internal networks with private addresses
  • VM with the Fastnemon Advanced trial license.

Netflow configured and running ok, and on the Fastnetmon VM we can see:

  • all inbound traffic coming from the Internet on any public address from the network 92.255.xx.0/24 - traffic arrives on the host with the public IP or on the host published through the NAT
  • when I generate some outbound traffic from the host with the public address 92.255.xx.yy, I can see this traffic too
  • when I generate outbound traffic from the host in our private network, and this traffic going NAT’éd through the external iface on the router, I can not see this outbound traffic in the Fastnetmon.

I followed this topic and configured internal interface bond0.31 on the VyOS as suggested:

set system flow-accounting interface bond0.31
sudo iptables -t filter -I VYATTA_POST_FW_IN_HOOK 1 -o bond0.31 -j ULOG --ulog-nlgroup 2 --ulog-cprange 64 --ulog-qthreshold 10
sudo iptables -t filter -I VYATTA_POST_FW_FWD_HOOK 1 -o bond0.31 -j ULOG --ulog-nlgroup 2 --ulog-cprange 64 --ulog-qthreshold 10
sudo iptables -t filter -I VYATTA_POST_FW_OUT_HOOK 1 -o bond0.31 -j ULOG --ulog-nlgroup 2 --ulog-cprange 64 --ulog-qthreshold 10

But still cannot see traffic going from internal hosts outside - I can see that only “other traffic” counting, but it’s not a solution.

It would be nice, if you can advise in resolving this situation.

First of all, VyOS 1.1.8 is EOL.

Netflow only see ingress traffic per interface you add in your config.
Also, netflow sees packets before NAT. If you want to change that, look in nano /opt/vyatta/sbin/ and change this line
my $table_chain_entry = "late";

Note, that this ability to change this was added sometime between 1.1x and VyOS 1.2.x. Edits in these files are not persistent over VyOS upgrades.

Thanks a lot, I will try to change this script and let you know about results.

I know that 1.1.8 EOL, but this is a production system and upgrade of this requires long and thorough testing but netflow functionality needed right now, as usual :slight_smile: