Today I will show you how to configure PfSense NetFlow export on one of the more popular open source firewalls.

It is a great firewall that includes a long list of related features, as well as a package system that allows for further expandability. One of the many packages available is pfflowd, which converts OpenBSD PF status messages into Cisco NetFlow datagrams. This allows you export it to an external collector and gives historical reporting of your network activity. Installing this package is very easy and takes very little time, here are three steps to get you going:

  • Simply navigate to System > Packages > Available Packages.PfSense NetFlow configuration
  • Click on the plus box to the right of pfflowd to begin the installation.

  • You can find its configuration at the following location: Services > pfflowd. In this menu you need to set the host IP and change the NetFlow Version to 5, and NetFlow is now being exported to your flow collector.

Do you know what, where and who has been hogging the bandwidth on your network? If not, what is stopping you? Even open source software supports NetFlow, so there’s no excuse to ignore its full potential. Call us today if you need help configuring your PfSense NetFlow export!

Jamie Lee

Jamie Lee

Jamie Lee is Regional Manager for West coast at Plixer. He works with prospects solve the unique needs of their network and goes onsite visiting existing customers and assist with training. He enjoys deveolping new partnerships & building long lasting relationships with his clients. Jamie loves the outdoors and favorite hobbies include fishing, hiking, and football.

Related

4 comments on “PfSense NetFlow Export

  1. Great post! I’ve set this up and am getting good results, but curious why I’m frequently getting “Conversations Exported Infrequently” warnings from this flow. The embedded help page for this topic shows suggestions for adjusting Cisco ip flow-cache timeouts. Any suggestions to tweak the settings for pfflowd or within Scrut itself? I prefer to not have any warnings on my status page…. green is good!
    Thanks
    -S

    1. I’m guessing that PfSense does not have a metering process for long-lived flows (conversations occurring over 60 seconds).

      Jimmy, can you confirm this or post instructions on how to meter long-lived flows from PfSense?

  2. Hello-

    I’m trying this out but am having trouble with the “Source Hostname/IP” field. It’s blank in your screenshot above. When try that and hit Save I get “You must specify a valid ip address in the ‘Host’ field”. I’ve tried putting one of the firewall’s IP addresses or it’s hostname in there but I still get the same error. Any ideas here would be appreciated. I can’t find much on it.

  3. Stephan: Unfortunately this tool has a hard coded flow timeout setting. I am looking into editing the source, and alternate probe options such as Vermont or nProbe; I will update this blog when something better is found.

    Jeff: If you leave that value as blank it should default to whatever interface is facing the collectors address. If this is not working for you enter the address of the interface that will be able to communicate with the collector. For troubleshooting you can use Wireshark to confirm if Flows are making it to the server.

Comments are closed.