NetFlow Shows NATed IPs Instead of End Hosts on Download Traffic

saba53 · October 17, 2025, 11:32am

Hello,

I’ve installed ManageEngine NetFlow Analyzer and connected it to my MikroTik router (v7.19.3). There’s a Users VLAN interface configured on the router that I want to monitor.

On the NetFlow system, I can clearly see upload traffic, including the source IP addresses of the end hosts. However, in the download section, I only see NATed IP addresses, which prevents me from identifying the actual end hosts.

If you have any ideas or suggestions on how to fix this issue, I’d really appreciate your help.

Thanks!

eltikpad · October 17, 2025, 3:05pm

Im not familiar with ManageEngine, but do a lot of Netflow work.

You should be seeing translation in the flows that are being Nat-ed. Do you know what version of Netflow youre using? Netflow v5 does not report translation, only Netflow v9 or IPfix. It could also be something in ManageEngine not reporting this. Check your documentation.

pe1chl · October 18, 2025, 8:59am

True. I am running Netflow IPFIX and each item has both the original and NAT address (and MAC as well), when selected in the configuration.

saba53 · October 21, 2025, 6:22am

Thanks for your response!

I will share Mikrotik config with you.

pe1chl · October 21, 2025, 8:02am

Ok so set Version to IPFIX and it will work.

eltikpad · October 21, 2025, 2:02pm

Netflow v9 also has that info by default, so if these screen prints impliy they’re currently running v9 the data should be ok.

saba53 · October 21, 2025, 2:52pm

Router software version could be a problem?

saba53 · October 21, 2025, 2:52pm

I did it but same results

pe1chl · October 21, 2025, 3:04pm

Ok you could run wireshark on the receiving system to confirm that the data is really sent and that the issue is in ManageEngine rather than in the router.

eltikpad · October 21, 2025, 3:21pm

Capturing some packets wouldn’t hurt. You’ll have to find a template packet to know what fields are being sent.

Also, most (every) flow monitoring system has some kind of confirmation that needs to be set describing your local IP network spaces (that would be nat-ed) as opposed to external publicly routable address spaces. I would try checking any confuration that you’ve set.

Even though the data fields are labeled “nat” I’ve see them not reported if the address spaces are not defined correctly.

pe1chl · October 21, 2025, 4:52pm

Wireshark will show the packets including labels once the template packet has been seen during a capture. You can set the template refresh interval in the target configuration. It is set to 20 above (the default) so the template will be sent every 20 packets.

saba53 · October 27, 2025, 6:32am

Thanks for your help.
Wireshark shows internal IP addresses.
I opened ticket to netflow system support for their help.

saba53 · November 6, 2025, 1:57pm

Hello everyone,

I need some recommendations. As you can see in the download traffic, I can view my internal IP addresses (Post-NAT Destination Address). However, ManageEngine NetFlow Analyzer does not display these internal IP addresses in reports; it only shows the destination address, which is my public IP.

Can you recommend a NetFlow analyzer that can show Post-NAT Destination IPv4 addresses in its reports?

Thanks in advance!