NetFlow. No longer showing NAT'd destination address - Something chnaged

RouterOS General
1

Hello!
I have been using the NetFlow exporter for a while now. Since setup, my NetFlow collector has always shown the traffic in both directions, and it has always shown the NAT’d IP of the endpoints, now it only is exporting the IP flows as traffic to my WAN interface. I know that is confusing so let me explain.
My WAN interface has IP 73.1.1.2 for example, and I am downloading a 100MB file from a server with IP 50.50.50.50 from my computer which is being NAT’d by the Mikrotik with an IP address 10.10.10.10

The NetFlow results used to export the flow as 100MB from 50.50.50.50 > 10.10.10.10
Instead now it shows the flow as 100MB from 50.50.50.50 > 73.1.1.2
While this still shows what traffic is entering my network and how much, it no longer provides me what client device specifically requested it. What configuration change would have caused this? I uses be be on 6.something (less than 6.30), and now I am on 6.30.2

Thanks!

2

I found that it is a bug in 6.29 and up it seems? I downgraded back to 6.21 and all is resolved. Hope they resolve the issues with the next release. I tested on 6.3.2 and the issue persisted.

3

Same issue. It started with 6.29. In change log of 6.30.2 they have posted fix in traffic flow, but it still does not work.

4

this should fix that:

What's new in 6.33rc33 (2015-Oct-26 11:50):
*) trafflow - report flow addresses in v1 and v5 without NAT awerness
5

if you want, full reporting use the v9 template. It has separate fields to see what traffic is what. Unfortunately, there was an overwhelming amount of requests to revert it back. Since V9 allows flexibility required it was left there.

6

Janis, that’s what I wrote you on Sept, 14th: v5 should stay old way (because changing it breaks everything making v5 useless), v9 - receive additional NAT info :slight_smile:

so, seems like 6.33 has ideal combination for NetFlow, thanks :slight_smile:

7

Could you tell me please where to find out NetFlow version 9 template description for ROS 6.33 ?

I want to set up netflow collector but don’t know template format.

Is it cisco NEL or NSEL or something else ?

8

Template format? What do you mean? NetFlow packets contain information about the format of actual NetFlow data :slight_smile:

9

Netfow 9 supports templates for data fows. There is some well know template formats supported by other vendors. For example there is Cisco NEL (NAT event logging).

What is the Mikrotik Netfow v9 template format? If it’s vendor specific better to update documentaton here: http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow

People should update their netflow collectors which is working with well known predifine templates.

10
  1. you cannot change template format in RouterOS (for example, you cannot remove unnecessary fields)
  2. template format is sent in NetFlow packets every v9-template-refresh packets or every v9-template-timeout seconds, so netflow collector knows exact format even if it didn’t know it ever before :slight_smile: you don’t need any ‘predefined’ templates
11

@Chupaka: netflow template sent periodically by CCR have nothing in common with NAT event logging. We need to log NEL/NSEL to store exact conntrack creation and deletion events.

12

RouterOS NetFlow sends flows, not events :slight_smile:

13

Also have this issue!

6.44.6, Traffic Flow Version: 9

How to fix it?

14

Just check all fields in the packet, not only basic ones.

15

what are you speaking about?

16

http://forum.mikrotik.com/t/nat-logging-with-netflow9/94190/2
postNAT* fields

17

where to set these fields?

18

Set?.. You don’t set it, they simply exist in NetFlow v9 packets and you just need to read them.

For IPFIX, you may select them to be included in the data:

Screen Shot 2020-01-28 at 13.04.26.png

19

all of these items are already selected by default

20

They are about IPFIX, not NetFlow v9. NetFlow v9 contains all those fields, you cannot change it.