ng_netflow and tun interfaces, collecting on the same host
Tillman Hodgson
tillman at seekingfire.com
Tue Jan 18 09:30:33 PST 2005
Howdy folks,
I have a small pile of OpenVPN tunnels terminating on a "tunnel router"
(FreeBSD -current on sparc64 with 5 hme ethernet interfaces). Tunnels
carry general IP and OSPF traffic. They may carry IPv6 in the future,
though that's not a necessity. The number of tunnels will grow over time
and will likely start to include ipsec as well as the existing openvpn.
I'd like to perform netflow monitoring and collection on the box for the
individual tunnels. Unfortunately, I'm not only net to netflow in
general, all l I know about netgraph I learned from
http://www.daemonnews.org/200003/netgraph.html (a fairly old article,
too) :-)
Taking a look at (and borrowing freely from)
http://taosecurity.blogspot.com/2004/01/freebsd-kernel-module-for-generating.html,
I see that I can do something like this (using tun0 as an example):
kldload ng_ether
kldload ng_tee
kldload ng_netflow
ngctl -f - << EOF
mkpeer tun0: tee lower right
connect tun0: tun0:lower upper left
mkpeer tun0:lower netflow right2left iface0
name em0:lower.right2left netflow
msg netflow: setifindex { iface=0 index=1 }
mkpeer netflow: ksocket export inet/dgram/udp
msg netflow:export conenct inet/127.0.0.1:4800
EOF
I'm not sure if ng_ether covers tun interfaces or if it only covers the
underlying ethernet interface.
I'm also not sure that sending the netflow data to loopback is the most
efficient way to get at it with the collector -- on a Cisco router,
sending netflow data to a seperate host ameks sense, but it odesn't in
my case. Is there a better way to do this?
I'm also not sure what the best method is to collect data for multiple
tun interfaces. I'm thinking of replicating the above netgraph config,
but forwarding to different ports and running multiple collectors.
Are there any good resources out there that someone could point me at?
Alternatively, does anyone have some time to walk me through it off-list
and I'll post a summary to the list afterwards (as well as write an
article on it for http://www.seekingfire.com/documents/, since I'm
planning on doing that anyway once I get this running nicely).
Thanks,
-T
--
"To enjoy the flavor of life, take big bites. Moderation is for monks."
-- Robert Heinlein
More information about the freebsd-net
mailing list