Netflow from SSTP connections

doka · March 17, 2022, 11:12am

Dear colleagues,

we use CHR ROSv6 as a SSTP concentrator and, for security purposes, need to gather netflow information from SSTP connections.
The current way to configure interfaces under “/ip traffic-flow” is either ‘all’ (and, thus, netflow collector will receive lot of unnecessary information like encrypted SSTP traffic) or exact list (and, thus, need to specify hundreds of interfaces and update the list upon changes).

The ways to solve the problem are:

specify exceptions like “/ip traffic-flow set interfaces=all,!ether1” which seems to be unsupported;
specify per-interface / per-profile export (e.g. /ppp profile x set flow-export=yes) which seems to be unsupported too;
use kind of bridge, which will be used by SSTP server to “bind to” and which can be specified as a traffic-flow’s interface.

So, the question - whether (3) can be implemented for SSTP server or any other ways to precisely export flows are available?

Thank you.

pe1chl · March 17, 2022, 1:49pm

It would be nice when Netflow would support an “interface list” as a parameter instead of only predefined lists like “all”, “local” etc.
You can then make the SSTP interfaces member of that list.

doka · March 17, 2022, 4:15pm

Hi,

Yes, it would be nice, bu this is a long story. It’s interesting are there any ways to get the solution using existing ROS capabilities?

Thank you.

pe1chl · March 17, 2022, 5:05pm

Well, I am using Netflow and I use a single interface to watch all the traffic on the other side of the router.
I send the data to a custom netflow receiver that discards everything that is not so interesting before logging the remainder to a file.
(I used Perl module Net::Flow to write it)