Hello, we are currently testing pfSense 2.0.3 (i386) and I have the following problems with the flow export (i386, because Chris said at the Amsterdam pfSense training course that it is still preferable to use i386 if you do not need more then the 4Gig of ram, because it's better tested, etc.):
Short lived flows show up in our Monitoring system perfectly. Long running flows do not show up with pfflowd exporter until they are finished. Softflowd handles the long flows (IMO) correctly, every X (5?) minutes it sends a flow report. Let me explain with the following example: We use nfsen as the netflow data viewer and it displays the data in 5 minute intervals. We want to use nfsen alerts for excessive traffic, possible congestion problems, etc. Now I downloaded a 4GIG Debiann Install DVD Iso. While the download is in effect: * pfflowd does not show the current traffic. * With softflowd I see the bandwidth used (10.4Mb/s in this case) correctly. After the download I see this bandwidth summary (for the last 5 minute timeslot): * pfflowd: 225.3 Mb/s * softflowd: 10.5 Mb/s It seems that softflowd does send netflow data every 5 minutes and therefore the monitoring system is able to display the (5 minute interval) usage of traffic just fine and we can set alarms to be triggered. pfflowd seems to just send the flow data after the flow is finished, leaving us with our heads scratching while the download is in progress and then giving us a ridicilous summary in the timeslot directly after the download is finished. I would just use softflowd and get on with it, but one of our requirements is that we monitor our VPN connections (Hardware VPN's, configured like WAN interfaces). pfflowd shows just fine the SNMP Interface indices for every Interface (we have 5 LAN's (WLAN, LAN, 2 fiber connections to other office buildings) 5 WAN's (redundancy, etc.) and 3 VPN's). So with pfflowd we can monitor input and output interfaces, but we will have a hardtime checking long running flows in realtime. Softflowd handles the realtime just fine, but I loose the ability to check where the traffic went, as everything appears to be from the same interface. I tried configuring pfflowd with version 9 instead of version 5, but I get corrupted netflow data packages. Some packages have traffic in the Terrabit/s regions, IP's are sometimes mangled. I am not sure if this is a bug in regard to pfflowd and using i386 as the platform, it seems as there are some 32bit / 64bit confusion, but I could not verify this bit. Can anybody help me on how to get the system setup so pfflowd exports in 5 minute intervals correctly for those long lived flows, or is there a bug somewhere? Thank you, best regards Ray --
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
