Community discussions

MikroTik App
 
User avatar
robyhr
just joined
Topic Author
Posts: 19
Joined: Fri May 25, 2007 8:03 pm
Location: Croatia
Contact:

Traffic Flow changes in 6.29

Sat Jul 25, 2015 1:57 pm

Hello all,

I have a problem with TrafficFlow changes that got implemented in 6.29 (I think).

I have the following network scheme:

Image

I have 2 NATs happening: One masquerades network 10.0.0.0/8 as 192.168.0.2 (on Mikrotik router), and another masquerades network 192.168.0.0/24 to Internet (on ISP router).

Mikrotik has active Traffic Flow on the interface to ISP router and sends flow packets to ManageEngine that collects them.

What I observed after version upgrade from 6.20 to 6.30.2 (in the same time i also replaced RB2011 with CCR, but I doubt that could cause the change) is that upload traffic shows info I want (source is "10.x.x.x" and destionation is "public IP") but download traffic shows source "public IP" and destination "192.168.0.2" (instead I used to see 10.x.x.x here).

So I now lost the ability to see who from my LAN is downloading, I only see that download destination is Mikrotik that does the NAT.

Is there a way to make Traffic Flow work as it used to work before?

I feel this line from 6.29 changelog is the source of my problem:
*) trafflow: add natted addrs/ports to ipv4 flow info;

Thank you and best regards, Robert
 
User avatar
robyhr
just joined
Topic Author
Posts: 19
Joined: Fri May 25, 2007 8:03 pm
Location: Croatia
Contact:

Re: Traffic Flow changes in 6.29

Mon Jul 27, 2015 9:00 am

Bump
 
somewhat
just joined
Posts: 1
Joined: Fri Jul 31, 2015 4:27 am

Re: Traffic Flow changes in 6.29

Fri Jul 31, 2015 4:34 am

Glad I found this, I'm experiencing the same thing with NetFlow and have been spending time trying to figure out what I changed, eventually tied it back to the moment I upgraded from 6.23 to 6.30.2 and suspected the same thing after reviewing the release notes.

Hopefully is possible to restore the previous behaviour?
 
User avatar
robyhr
just joined
Topic Author
Posts: 19
Joined: Fri May 25, 2007 8:03 pm
Location: Croatia
Contact:

Re: Traffic Flow changes in 6.29

Fri Jul 31, 2015 8:54 am

I was analyzing info that comes from Mikrotik to Netflow server with Wireshark, and as far as I can tell, NATed addresses come from Mikrotik, so it's not setting on Netflow server that is causing this, it's Mikrotik's different behaviour.

Maybe if there would be an option in Netflow settings to make it behave like it did prior to 6.29 please?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8397
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Traffic Flow changes in 6.29

Wed Oct 28, 2015 12:21 am

What's new in 6.33rc33 (2015-Oct-26 11:50):
*) trafflow - report flow addresses in v1 and v5 without NAT awerness
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
flameproof
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Sep 01, 2015 3:17 pm

Re: Traffic Flow changes in 6.29

Thu Nov 12, 2015 4:41 pm

I have just upgraded to 6.33 but still seeing this issue. In my case, I have the WAN interface on 10.20.0.12, and LAN clients on 10.30.0.0/24 with a gateway IP of 10.30.0.1. A client 10.30.0.250 downloads a file from a remote server, and I see these aggregates in my log, when monitoring the WAN interface (using nfacctd):

SRC_IP,DST_IP,PROTOCOL,PACKETS,BYTES
136.243.x.x,10.20.0.12,tcp,3997,5956225
10.20.0.12,136.x.x.157,tcp,2018,105507

If I monitor the LAN interface, the logs show:

SRC_IP,DST_IP,PROTOCOL,PACKETS,BYTES
10.30.0.1,10.30.0.250,tcp,3997,5956225
10.30.0.250,10.30.0.1,tcp,3981,207521

The "without NAT awareness" doesn't seem to work. Can anyone let me know how to enable monitoring like this (simulating what I'd like to see, as the O.P.):

SRC_IP,DST_IP,PROTOCOL,PACKETS,BYTES
136.243.x.x,10.30.0.250,tcp,3997,5956225
10.30.0.250,136.243.x.x,tcp,3981,207521

FYI I've tested with Netflow v1, v5 and v9...
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8397
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Traffic Flow changes in 6.29

Thu Nov 12, 2015 5:42 pm

hm-m-m... NFv5 works fine for me (we're using 'interfaces=all'), and in v6.33 topic someone said that the problem is now fixed
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
flameproof
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Sep 01, 2015 3:17 pm

Re: Traffic Flow changes in 6.29

Fri Nov 13, 2015 11:12 am

OK two thoughts then - one, I'll reboot the router between changes, read in another thread that config changes won't apply to flows still active. I also tested with interfaces 'all'.

Second one, I'm running this on a router running a hotspot service - will masquerading options affect how flows are captured & sent to the targets?

If you can provide an example config that you're running I'd really appreciate it!
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8397
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Traffic Flow changes in 6.29

Fri Nov 13, 2015 11:26 am

Second one, I'm running this on a router running a hotspot service - will masquerading options affect how flows are captured & sent to the targets?
Ahhh, I saw "something unusual" in your data, but haven't read thoroughly. Sure, you see two different flows: from the client to hotspot proxy and from proxy to the server. Just disable 'transparent proxy' option in Hotspot profile — and clients will go to Internet directly
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
flameproof
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Sep 01, 2015 3:17 pm

Re: Traffic Flow changes in 6.29

Fri Nov 13, 2015 3:09 pm

Ahhh, I saw "something unusual" in your data, but haven't read thoroughly. Sure, you see two different flows: from the client to hotspot proxy and from proxy to the server. Just disable 'transparent proxy' option in Hotspot profile — and clients will go to Internet directly
OK - I'll give a bit more background on the setup. I have clients connecting to the router running the hotspot service, but they get an amount of data to be used against the walled garden 'allowed' sites. So, the IP 136.243.x.x is of a host that's allowed through on the whitelist on Walled Garden. Clients are not fully online yet, they have not logged in against the hotspot and thus are only allowed access to the whitelisted sites. If they do login, they start paying for data, which at this point is accounted by RADIUS.

What I want to do with traffic flow is to account for this 'free' data, and signal the server on 136.243.x.x that it should stop supplying data to the particular client once they go past their quota.

On the default User Profile I have transparent proxy turned off. I believe this applies once the user has logged in, correct?

Any other ideas that would achieve what I need will be appreciated :-)
 
flameproof
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Tue Sep 01, 2015 3:17 pm

Re: Traffic Flow changes in 6.29

Sat Nov 14, 2015 2:27 pm

So I've found a bit more about the flows sent by Mikrotik. In v1 and v5, there is no NAT information, and no matter what masquerade or proxy settings I use, I always get either the public IP, or the private IP, but not the endpoints. It may have to do with having the hostpot service running, when I have time I'll test on a bog-standard router config and see what happens.

In the meantime, using v9 and dissecting with Wireshark, I see this:
Flow 2
    [Duration: 6.060000000 seconds (switched)]
    Packets: 3997
    Octets: 5956225
    InputInt: 0
    OutputInt: 2
    SrcAddr: 10.30.0.1
    DstAddr: 10.30.0.249
    Protocol: TCP (6)
    IP ToS: 0x00
    SrcPort: 64874 (64874)
    DstPort: 50366 (50366)
    NextHop: 10.30.0.249
    DstMask: 0
    SrcMask: 0
    TCP Flags: 0x12
    Destination Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Post Source Mac Address: Routerbo_66:56:53 (d4:ca:6d:66:56:53)
    Post NAT Source IPv4 Address: 136.243.x.x
    Post NAT Destination IPv4 Address: 10.30.0.249
    Post NAPT Source Transport Port: 80
    Post NAPT Destination Transport Port: 50366
Thus, using the markers post_nat_src_host and post_nat_dst_host in the nfacctd config gets the destination and source IPs fine, which is what I wanted.

Who is online

Users browsing this forum: Bing [Bot], imadshamsy and 39 guests