ng_netflow on PF + CARP firewall question

shinny knight sh1nny_kn1ght at
Thu Dec 6 10:08:02 PST 2007

Hello all,
  I'm trying to use ng_netflow module along with PF+CARP implementation on freebsd 6.2.
  I understand from different posts that ng_netflow module is performing quite well and does not add so much cpu load since packets are processed in the kernel.
  However, ng_netflow documentation is very confusing for begginers and I'm having a hard time to figure it out.
  Like mentioned before, I have PF+CARP implementation along with /usr/ports/net/ifstated port. This part is tested and is working fine. (If anybody wants advice here feel free to ask:) )
  I'm wonder if it's a good ideea to add ng_netflow on top of it or should I use an additional system with TAP interface and just mirror incoming/outgoing traffic from switch.
  This is what I want to try for ng_netflow:
  cat /boot/loader.conf
  cat /etc/rc.conf |grep ng
  cat /usr/local/etc/rc.d/ng_netflow
  # PROVIDE: ng_netflow
  . /etc/rc.subr

    echo "Starting ${name}."
      /usr/sbin/ngctl -f- <<-SEQ
          mkpeer bge2: tee lower right
        connect bge2: bge2:lower upper left
        name bge2:lower bge2_tee
        mkpeer bge2_tee: netflow left2right iface0
        name bge2:lower.left2right netflow
        connect bge2_tee: netflow: right2left iface1
        msg netflow: setifindex { iface=0 index=2 }
        msg netflow: setifindex { iface=1 index=1 }
        mkpeer netflow: ksocket export inet/dgram/udp
        msg netflow:export connect inet/
          mkpeer bge1: tee lower right
        connect bge1: bge1:lower upper left
        name bge1:lower bge1_tee
        mkpeer bge1_tee: netflow left2right iface2
        name bge1:lower.left2right netflow0
        msg netflow0: setifindex { iface=2 index=4 }
        connect bge1_tee: netflow0: right2left iface3
        msg netflow0: setifindex { iface=3 index=3 }
        mkpeer netflow0: ksocket export inet/dgram/udp
        msg netflow0:export connect inet/
    echo "Stopping ${name}."
      /usr/sbin/ngctl -f- <<-SEQ
        shutdown netflow:
  load_rc_config $name
  : ${ng_netflow_enable="NO"}
  run_rc_command "$1"
  As can be seen from above script I'm planning sending packets on localhost port 8818 first.
  Is the above configuration correct?
  It will affect in any way PF+CARP implementation regardging the fact that I'm not using CARP inetrfaces with ng_netflow but physical ones like bge1 and bge2? (I want to mention here that I'm not planning using ng_netflow on pf_sync interface)
  Should I stick with solutions from ports like softflowd & similar?
  What could be cpu/memory requirements difference for 100Mbps traffic between ng_netflow and with softflowd?
  Thanks in advance for any help.
  Senior Network/Security Administrator
  Catalin Miclaus
  Starcomms Ltd.

