I have been asked to setup Netflow monitoring on our company network. I have a working Netflow collector setup. Currently our company ADSL internet gateway is a Cisco Router managed by our ISP under an SLA agreement. So I don’t have direct access to the Cisco Router but I can ask for changes to be made to the router. Ideally I would like to keep the Cisco Router as is and limit as much disruption to our staff as possible.
Our RB750G that was perversely setup, by a previous admin to be our ADSL router before the Cisco Router was setup.
I would like to know what would be the best and/or easiest way to insert the 750G between the Cisco Router and our main switch and capture Netflow traffic.
I have looked around and have not been able to find a guide or tutorial on how to do this.
Long term it would also be nice to be able to also setup firewall rules or even shaping but these are not a priority at the moment and I can live without these as I can request these functions to be setup on the Cisco.
The only thing I can’t ask to be setup on the Cisco is Netflow.
I have done some reading and I don’t know how to go about this. The Cisco router is currently run as a NAT and I don’t know how things like Bridges and Static Routes work, but I think that is what I am after.
Is it even possible to run to 2 NAT’s directly after each other?
The only thing I currently know about the 750G setup is that I was told that one or two of the ports were converted into network interfaces and given IP address.
I have winbox.exe working and can access the RouterOS.
My network routing experience and knowledge is very limited, but I have setup a FreeBSD mail server and an Arch Linux Desktop so I am not a complete IT newbie, I just need some help getting started.
Can somebody please help me or point me the write direction.
Unfortunately that’s going to require changes to the network - but with changes possible on the Cisco other than NetFlow configuration it should only require changes on that router.
Start by resetting the RB750G. You can either log into it and run “/system reset-configuration”, or look up NetInstall on the wiki and use it to install the latest version of RouterOS on your router and ensuring you don’t have “keep configuration” checked. That will give us an easy baseline to help you out from - god knows how the router is currently configured.
By looking at packet flow diagram you can see that traffic flow is at the end of input, forward and output chain stack. It means that traffic flow will count only traffic that reaches one of those chains.
That means that the RB750G will have to work as a layer 3 hop. Not sure how much you know about networks, but that means that it will have to act as a router, and not as a switch. Because you cannot have the same IP networks on multiple interfaces and route between them (barring ugly hacks you shouldn’t resort to) in order to have the network on the right of your RB in your diagram stay the same, you have to change the network on the left of it. You should talk to your ISP about changing the LAN/inside interface of the Cisco router changed to a /30 with private IP addressing of your or their choice. Something like 10.255.255.252/30, maybe. I’ll assume that for the rest of the post. Their router would be 10.255.255.253/30, and your RB750G would be 10.255.255.254/30 on ether1. You would assign the IP address that is currently on the LAN interface of the Cisco to the ether2 interface on the RB750. On the RB750G you insert a default route through the Cisco router, and on the Cisco router you ask the ISP to insert a route to the LAN network via 10.255.255.254 so it can reach the clients behind the RB750G. There is no need to NAT on the RB750G - just ask the ISP to keep the current NAT configuration, but to add 10.255.255.252/30 to the list of NAT’d networks. Then turn on traffic flow on the RB750G.
Here the commands, assuming a default configuration to start from. I’m also assuming your current LAN network is 192.168.1.0/24 - on a sidenote, IP address and interface configuration should be parts of network diagrams. While knowing the physical layout is helpful, knowing the logical network configuration is just as valuable.
You would want to apply the below via MAC winbox - just plug your computer with Winbox on it into a router port and click the ‘…’ button next to the address field, wait for the router to show up and click on the MAC address. Then connect with the username ‘admin’ and a blank password.
# first clear up any remnants of the default configuration on an RB750G
/ip address remove [/ip address find]
/ip route remove [/ip route find]
/ip dhcp-client remove [/ip dhcp-client find]
/ip firewall nat remove [/ip firewall nat find]
/ip firewall filter remove [/ip firewall filter find]
# add IP address facing Cisco router to ether1
# add LAN IP address to ether2
/ip address
add address=10.255.255.254/30 interface=ether1
add address=192.168.1.1/24 interface=ether2
# add a default route through the Cisco router
/ip route
add dst-address=0.0.0.0/0 gateway=10.255.255.253
# set up traffic flow to 192.168.1.100 on port 2055
/ip traffic-flow
set enabled=yes
set interface=all
/ip traffic-flow target
add address=192.168.1.100:2055 version=9
You didn’t post whether the Cisco router is a DHCP server - if it is, than can of course be a service offered on the RB750G as well, but will require some additional configuration.
Thank you so much fewi. That was a brilliant reply and I actually understood what you said.
DHCP is currently being handled by the Win2003 server so that is not going to be a problem.
I am going to give it a try next time the office does not have anything critical happening, hopefully this afternoon.
FYI:
Network = 192.168.0.0/24
Cisco internal (GW) = 192.168.0.253
Win2003 = 192.168.0.1
DHCP = 192.168.0.10-100
There is one thing I forgot to mention but if I understand the routing correctly should not be a problem.
We replicate a MSSQL db from a server on the net to our local office running on the Win2003 box.
I got the ISP to forwarding the replication ports and port 80 from outside to the Win2003 server and I believe they added rules to the Cisco’s firewall to allow the traffic through. This is all currently working.
I don’t think this is going to be a problem, can you see any problems with this.
Lastly does this kind of setup have a name, when I learn new things I like to learn the correct terminology as well.
If I had to guess this is just normal routing between two networks using static routes.
Yes, that’s static routing. Yes, the port forwarding will still work - the Cisco router will still destination NAT that traffic to the same IP address, only after the change it won’t send the traffic directly to the DB server, but will rather look up a route to it, find that it needs to go via the RB750G, and send traffic to it. The RB750G then sends the packet to the database server.
