start to use traffic flow.
while set up it in local test router and collect data in same network – all ok, ntop can see stats.
but when i start traffic-flow on production router, – can’t catch data, because it’s collected by my test router unexpectedly!

Config:

uplinks==production_gw–LAN…test-router(with NAT)–my_PC(with ntop)

production_gw – PC x86 with ROS v6.17
test router – RB6700.. with ROS v6.17

on production_gw target is test-router ip (with any port, does not matter, is it 2055 of 22055)

so I expect to redirect Traffic-flow packets via test-router by dst-nat to my_PC, but suprised: traffic goes to input chain immediately after prerouting.

Is it expected behavior?

some data:
on production_gw:

aug/05/2014 07:55:02 by RouterOS 6.17

/ip traffic-flow
set cache-entries=16k enabled=yes interfaces=…
/ip traffic-flow target
add address=192.168.1.25:2055 version=9on test-router:
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established in-interface=WAN1
add chain=input connection-state=related in-interface=WAN1
add chain=input dst-port=2055 in-interface=WAN1 protocol=udp src-address=
192.168.1.50
add action=drop chain=input in-interface=WAN1/ip firewall nat
add action=dst-nat chain=dstnat dst-port=14127 in-interface=WAN1 protocol=tcp
to-addresses=192.168.95.101
add action=dst-nat chain=dstnat dst-port=14127 in-interface=WAN1 protocol=udp
to-addresses=192.168.95.101
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=dst-nat chain=dstnat dst-address=192.168.1.25 dst-port=2055
in-interface=WAN1 protocol=udp src-address=192.168.1.50 to-addresses=
192.168.95.104stats from NAT section – no packets counted by last rule - for 2055 port with traffic-flow
[taras@tq] /ip firewall nat> print stats
Flags: X - disabled, I - invalid, D - dynamic

CHAIN ACTION BYTES PACKETS

0 dstnat dst-nat 161 236 3 065
1 dstnat dst-nat 626 173 5 965
2 srcnat masquerade 5 382 711 54 560
3 srcnat masquerade 0 0
4 dstnat dst-nat 0 0in mangle section i create passthrough rules to find out, where packets go.
[taras@tq] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic

here was currently disabled rules

14 chain=prerouting action=passthrough protocol=udp dst-port=2055
15 chain=prerouting action=passthrough protocol=udp dst-port=14127
16 chain=input action=passthrough protocol=udp dst-port=2055
17 chain=input action=passthrough protocol=udp dst-port=14127
18 chain=forward action=passthrough protocol=udp dst-port=2055
19 chain=forward action=passthrough protocol=udp dst-port=14127
20 chain=postrouting action=passthrough protocol=udp dst-port=2055
21 chain=postrouting action=passthrough protocol=udp dst-port=14127
22 chain=output action=passthrough protocol=udp dst-port=2055
23 chain=output action=passthrough protocol=udp dst-port=14127and what a finally see by stats here:[taras@tq] /ip firewall mangle> print stats
Flags: X - disabled, I - invalid, D - dynamic

CHAIN ACTION BYTES PACKETS

here was currently disabled rules

14 prerouting passthrough 25 018 584 17 621
15 prerouting passthrough 12 405 537 116 518
16 input passthrough 25 018 584 17 621
17 input passthrough 0 0
18 forward passthrough 0 0
19 forward passthrough 12 405 537 116 518
20 postrouting passthrough 4 194 824 3 041
21 postrouting passthrough 12 405 537 116 518
22 output passthrough 4 194 824 3 041
23 output passthrough 0 0stats shows, that some random traffic via udp:14127 (actually p2p) goes via 15_prerouting-19_forward-21_postrouting chains
but incoming traffic for port 2055 in any case (without regarding to dst-port number, looks like it detected by content) goes to input chain and sinked somewhere in router, and from 22-output chain
here output stats shows only packets, generated by test-router’s traffic-flow.
At last try i actually suppose, that test-router will collect incoming data from outside and send them along with it’s own to my final collector, but no luck.

P.S. here at forum i’ve find a few themes with such problems described:
http://forum.mikrotik.com/t/traffic-flow-and-bridge/68376/1 flow and bridge
http://forum.mikrotik.com/t/missing-traffic-flow-data-from-ccr1036/73660/1 traffic flow data from CCR1036
but both of them describe the problem from other points of view.

try to create NAT rule for some other port, and after that change dst-port on production_gw (although I don’t understand why you need NAT if you can change Target freely)

the problem can be with connection tracking: if TrafficFlow packets go to the router, ConnTrack entry is already created. if you add NAT rule at that moment, it won’t catch any packets because it catches only new connection, and current NetFlow ‘connection’ is not new. just my thoughts

my production router works masquarading clients, of cause, so my test router use similar config – my testbed PC’s placed behind test router’s NAT. for now i just experimenting with catching netflow traffic with different SW, but on PC, that is behind my tester router, not in clients’s segment, so in production config target is my test router, and test router should be traverse this traffic to my real target, and it’s a described problem.

I surprised not by that fact, that something with my src-nat rules goes wrong, but with that fact, that netflow traffic in any way goes to Input chain, without regarding to my NAT rules. this i’ve showed by mangle stats.

so, i’ll restart router and somehow change ports…

yep, simple restart of test router should do the trick

Thank you!
Actually, yes, connections matters.
Moreover, i do not expect such behavior, when stats on dst-nat rule show only one packet per connection, not the total packets being natted.

Thank you once again! now it’s working!