Hello, at some version about 6.48 i saw a new directive nat-events in /ip traffic-flow ipfix
I turn it on but nothing happens, even at version 6.49.2
I expected to receive field type 230 (NAT event) in IPFIX packets.
my question: what does the directive nat-events do
Yes it sends NAT events. It is a separate template with ID 260.
Unfortunately there is a bug: when this nat-events=yes setting is not done, the events are still sent but the template is not.
When you enable nat-events=yes, both the template and events are sent.
Thank you very much.
Yes, I see a data for template id 260, but no template for this template id is received.
Please, tell me where I wrong
/ip traffic-flow export
feb/07/2022 16:19:45 by RouterOS 6.49.2
software id = VLYL-F3UI
model = 951G-2HnD
serial number = 4F430404082F
/ip traffic-flow
set active-flow-timeout=1m enabled=yes interfaces=br_aster
/ip traffic-flow ipfix
set dst-address-mask=no dst-mac-address=no first-forwarded=no gateway=no icmp-code=no icmp-type=no igmp-type=no
in-interface=no ip-header-length=no ip-total-length=no ipv6-flow-label=no is-multicast=no last-forwarded=no
nat-events=yes out-interface=no src-address-mask=no src-mac-address=no sys-init-time=no tcp-ack-num=no
tcp-flags=no tcp-seq-num=no tcp-window-size=no tos=no ttl=no udp-length=no
/ip traffic-flow target
add dst-address=10.60.248.34 port=2020 v9-template-timeout=20s version=ipfix
For me, once I enable nat-events=yes it sends the template.
please, tell me, what ROS version you are using
Same, 6.49.2
thank you.
pe1chl, please give me you configuration.
I dont know, why I doesn’t see templates for ID 260.
I use this:
/ip traffic-flow
set active-flow-timeout=3m cache-entries=512k enabled=yes \
inactive-flow-timeout=5m interfaces=....
/ip traffic-flow ipfix
set dst-address-mask=no first-forwarded=no gateway=no igmp-type=no \
in-interface=no ip-header-length=no ipv6-flow-label=no is-multicast=no \
last-forwarded=no out-interface=no src-address-mask=no sys-init-time=no \
tcp-ack-num=no tcp-flags=no tcp-seq-num=no tcp-window-size=no ttl=no \
udp-length=no
/ip traffic-flow target
add dst-address=.... port=4739 version=ipfix
With this config, it sends ID 260 messages but it never sends the template description.
When I add nat-events=yes it sends the description and continues to send the events.
IMHO it is wrong, I do not need or want the nat events so it should not send them when
I have not enabled them.
thank you.
I understood you.
but I have a problem that I can’t see the template. even nat-events=yes
downloaded NetFlow Analyzer and the software told me:
Error in processing flows for device with ip 10.1.1.39 as template information is not received from the device.
and the error hangs in active.
now I have two netflow collectors, who doesn’t see template for ID 260
what settings do you have
v9-template-refresh
v9-template-timeout
in /ip traffic-flow target ?
The above are all my settings.
thank you. you have default values.
That is right. The low active-flow-timeout value is because the counters in the traffic-flow are only 32 bits (even when the fields are 64 bits, only 32 are used) so I wanted to limit the number of wrap-arounds that occur. Hopefully at some time MikroTik will fix that bug and the active-flow-timeout can be set much higher.
Otherwise I just have made a selection of the columns relevant to me and have not changed anything else.
When the nat-events capability was added in 6.49 I started to notice ID 260 events without a template, and I reported that. Then I noticed the new checkmark, set it, and the template appeared.
MikroTik noted it as a bug.
Mikrotik support answered me about the absence of template:
It’s a bug and it will be fixed in the upcoming RouterOS releases.
What’s new in 7.2 (2022-Mar-31 12:11):
…
*) traffic-flow - do not handle NAT events when “nat-events” is disabled;
…