Community discussions

MikroTik App
 
mdpeterman
just joined
Topic Author
Posts: 7
Joined: Sat Nov 17, 2012 7:53 pm

NetFlow. No longer showing NAT'd destination address - Something chnaged

Sun Aug 02, 2015 2:11 am

Hello!
I have been using the NetFlow exporter for a while now. Since setup, my NetFlow collector has always shown the traffic in both directions, and it has always shown the NAT'd IP of the endpoints, now it only is exporting the IP flows as traffic to my WAN interface. I know that is confusing so let me explain.
My WAN interface has IP 73.1.1.2 for example, and I am downloading a 100MB file from a server with IP 50.50.50.50 from my computer which is being NAT'd by the Mikrotik with an IP address 10.10.10.10

The NetFlow results used to export the flow as 100MB from 50.50.50.50 > 10.10.10.10
Instead now it shows the flow as 100MB from 50.50.50.50 > 73.1.1.2
While this still shows what traffic is entering my network and how much, it no longer provides me what client device specifically requested it. What configuration change would have caused this? I uses be be on 6.something (less than 6.30), and now I am on 6.30.2

Thanks!
 
mdpeterman
just joined
Topic Author
Posts: 7
Joined: Sat Nov 17, 2012 7:53 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Wed Aug 05, 2015 6:58 am

I found that it is a bug in 6.29 and up it seems? I downgraded back to 6.21 and all is resolved. Hope they resolve the issues with the next release. I tested on 6.3.2 and the issue persisted.
 
sil200
just joined
Posts: 2
Joined: Sat Jun 13, 2015 1:11 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Thu Aug 06, 2015 7:46 am

Same issue. It started with 6.29. In change log of 6.30.2 they have posted fix in traffic flow, but it still does not work.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Wed Oct 28, 2015 12:20 am

this should fix that:
What's new in 6.33rc33 (2015-Oct-26 11:50):
*) trafflow - report flow addresses in v1 and v5 without NAT awerness
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Fri Oct 30, 2015 3:16 pm

if you want, full reporting use the v9 template. It has separate fields to see what traffic is what. Unfortunately, there was an overwhelming amount of requests to revert it back. Since V9 allows flexibility required it was left there.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Fri Oct 30, 2015 3:29 pm

Janis, that's what I wrote you on Sept, 14th: v5 should stay old way (because changing it breaks everything making v5 useless), v9 - receive additional NAT info :)

so, seems like 6.33 has ideal combination for NetFlow, thanks :)
 
Begetan
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Fri Nov 27, 2015 12:46 am

Could you tell me please where to find out NetFlow version 9 template description for ROS 6.33 ?

I want to set up netflow collector but don't know template format.

Is it cisco NEL or NSEL or something else ?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Fri Nov 27, 2015 2:22 am

Template format? What do you mean? NetFlow packets contain information about the format of actual NetFlow data :)
 
Begetan
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Sat Nov 28, 2015 3:24 pm

Netfow 9 supports templates for data fows. There is some well know template formats supported by other vendors. For example there is Cisco NEL (NAT event logging).

What is the Mikrotik Netfow v9 template format? If it's vendor specific better to update documentaton here: http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow

People should update their netflow collectors which is working with well known predifine templates.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Mon Nov 30, 2015 2:35 pm

1) you cannot change template format in RouterOS (for example, you cannot remove unnecessary fields)
2) template format is sent in NetFlow packets every v9-template-refresh packets or every v9-template-timeout seconds, so netflow collector knows exact format even if it didn't know it ever before :) you don't need any 'predefined' templates
 
chilek
just joined
Posts: 2
Joined: Thu Nov 30, 2017 6:43 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Thu Nov 30, 2017 6:45 pm

@Chupaka: netflow template sent periodically by CCR have nothing in common with NAT event logging. We need to log NEL/NSEL to store exact conntrack creation and deletion events.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Fri Dec 01, 2017 9:42 am

RouterOS NetFlow sends flows, not events :)
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Mon Jan 27, 2020 1:54 pm

Also have this issue!

6.44.6, Traffic Flow Version: 9

How to fix it?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Mon Jan 27, 2020 6:53 pm

Just check all fields in the packet, not only basic ones.
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Mon Jan 27, 2020 7:11 pm

what are you speaking about?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Mon Jan 27, 2020 10:09 pm

 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Mon Jan 27, 2020 10:40 pm

where to set these fields?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Tue Jan 28, 2020 12:02 pm

Set?.. You don't set it, they simply exist in NetFlow v9 packets and you just need to read them.

For IPFIX, you may select them to be included in the data:

Screen Shot 2020-01-28 at 13.04.26.png
You do not have the required permissions to view the files attached to this post.
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Tue Jan 28, 2020 12:11 pm

all of these items are already selected by default
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Tue Jan 28, 2020 3:56 pm

They are about IPFIX, not NetFlow v9. NetFlow v9 contains all those fields, you cannot change it.
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Tue Jan 28, 2020 4:13 pm

and what should I do?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Tue Jan 28, 2020 5:33 pm

Just use that data where you need it.
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Tue Jan 28, 2020 5:37 pm

maybe you do not understand my message?

I also have this issue
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Tue Jan 28, 2020 5:40 pm

What issue? If you look at not-NAT'ed addresses and see not-NAT'ed addresses instead of NAT'ed addresses - it's how it should be. You need to look at NAT'ed addresses to see NAT'ed addresses. Both are available in NetFlow v9 data.
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Tue Jan 28, 2020 5:53 pm

I have same issue as described in mdpeterman first post.
NetFlow Analyzer -> Inventory -> Devices-> SomeRouter -> InternalInterface -> Destination (OUT)
shows me external public IP instead of internal private ip-addresses
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Wed Jan 29, 2020 3:35 pm

I think you should ask Netflow Analyzer if they support necessary fields, like https://www.plixer.com/blog/cisco-asr-n ... tflow-nat/ does.
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Mon Aug 03, 2020 12:00 pm

Chupaka
I think you should ask Netflow Analyzer if they support necessary fields
I asked Mikrotik support. First they blamed the analyzing software, but then they admitted:
we currently don't have NAT events available in current stable/long-term releases. We are working to implement the support for them in upcoming testing versions.
Best regards,
Guntis G.


facepalm.jpg
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Mon Aug 03, 2020 4:26 pm

But NAT events is completely different thing. NAT information is available in NetFlow v9 data fields for a long time already.
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Mon Aug 03, 2020 5:35 pm

I dont known why Mikrotik support talk about "NAT events".

Answer from ManageEngine Netflow Analyzer developers:

Hi ,

Mikrotik device do not send NAT information in the netflow packets. If the device can send NAT information over the flows, we will be able to show you the details.

How happy are you with our service?


Thanks and Regards,

Lenin
DID: +1 408 916 9595
[Knowledge Base | Tech Videos | Free Training]
[Network and Server Performance Management | Application Performance Management | Firewall Policy and Log Management | Network Traffic Analysis | Network Configuration Management]

TOLL FREE NUMBERS:
US : +1 888 720 9500 | Intl : +1 925 924 9500
US Intl : +1 800 443 6694 (alternative number)
Australia : +1 800 631 268 | UK : 0800 028 6590
SELECT IVR OPTION: 3 AND 6
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Mon Aug 03, 2020 5:51 pm

You may simply sniff your Traffic Flow packets and check with WireShark if there are postNATSourceIPv4Address, postNATDestinationIPv4Address, postNAPTSourceTransportPort and postNAPTDestinationTransportPort fields.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Mon Aug 03, 2020 6:17 pm

You may simply sniff your Traffic Flow packets and check with WireShark if there are postNATSourceIPv4Address, postNATDestinationIPv4Address, postNAPTSourceTransportPort and postNAPTDestinationTransportPort fields.
I've done this recently and can confirm v9 DOES have these field populated.
Captured on a RB3011 running 4.46.6

Now IPFIX *HAS* bugs, I've opened a ticket but euh ... no real resolution. There is a serious issue with the time-references in these packets.
There appears to be a bug in how the timestamps are crafted in those IPFIX packets: field types 21 (flowEndSysUpTime) and 22 (flowStartSysUpTime), that is start and end times relative to the SysUpTime of the device, except IPFIX - that is a difference with NetFlow v9 - has no provision to send SysUpTime as part of its header. So Absolute times should be used instead in IPFIX.

When capturing IPFIX I see things like

SRC_IP,DST_IP,SRC_PORT,DST_PORT,PROTOCOL,TIMESTAMP_START,TIMESTAMP_END,PACKETS,BYTES
172.29.42.250,176.9.168.180,38310,232,tcp,2020-06-19 12:12:58.000000,1970-01-01 01:00:00.000000,3,208
176.9.168.180,91.171.127.161,232,38310,tcp,2020-06-19 12:12:58.000000,1970-01-01 01:00:00.000000,2,208
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Tue Mar 09, 2021 12:00 pm

Chupaka
You may simply sniff your Traffic Flow packets and check with WireShark if there are postNATSourceIPv4Address, postNATDestinationIPv4Address, postNAPTSourceTransportPort and postNAPTDestinationTransportPort fields.

These fields are present, but issue is also present even with latest version NetFlow Analyzer 12.5.357.
Issue appeared after updating ROS version a few years ago.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Tue Mar 09, 2021 1:53 pm

These fields are present, but issue is also present even with latest version NetFlow Analyzer 12.5.357.
You mean, this issue?
Mikrotik device do not send NAT information in the netflow packets
So, MikroTik device sends those fields, but it doesn't send them? Schrodinger Router?
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Tue Mar 09, 2021 2:09 pm

I absolutely do not care if there are any fields there or not.
I say that after a certain version of the ROS there was a issue.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Mon Mar 15, 2021 7:14 pm

"An issue" for you is a fix for someone else who didn't want to see semi-NAT'ed flows (with DST-NAT applied and SRC-NAT not applied), for example :)
 
haver
just joined
Posts: 21
Joined: Fri Oct 05, 2012 4:02 pm

Re: NetFlow. No longer showing NAT'd destination address - Something chnaged

Thu Sep 09, 2021 9:53 pm

I have some problems with netflow v9 and ipfix. My ROS version is 6.48.4
For law regulations we send netflow statistics for NAT translations check. I recieved request to fix incorrect address in NAT address field. I have source internal address there with port 0 instead of external NAT address. I installed nfdump and checked it mysel. Here is the example of incorrect data. Maybe anybody had the same problem? Thank's in any advise!
Src IP Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port In Byte Out Byte
10.123.4.32:32878 -> 142.250.74.110:80 10.123.4.32:0 -> 142.250.74.110:80 52 0
10.123.4.25:45028 -> 35.224.115.53:443 10.123.4.25:0 -> 35.224.115.53:443 120 0
10.123.4.32:32878 -> 142.250.74.110:80 10.123.4.32:0 -> 142.250.74.110:80 52 0
10.123.4.32:32878 -> 142.250.74.110:80 10.123.4.32:0 -> 142.250.74.110:80 52 0
10.123.4.25:52824 -> 35.192.123.31:443 10.123.4.25:0 -> 35.192.123.31:443 120 0
10.123.4.25:35622 -> 35.193.228.251:443 10.123.4.25:0 -> 35.193.228.251:443 120 0

Who is online

Users browsing this forum: Ahrefs [Bot], apitsos, Bing [Bot], eworm, GoogleOther [Bot], moorezilla, orionren, raiod and 93 guests