patrickLR
asked on
MikroTik RouterBoard, Bridged Ports, Netflow (traffic-flow)
I'm looking at putting a RB450G in place as a sort of 'tap' on a network (between the router and the switch). My hope is to have the RB act as a silent bridge (possibly ponding two nics for in traffic and 2 for out traffic) while pushing netflow-v5 to a machine (running silk tools).
I currently have the device running with a bridge covering 4 of the nics. Placing it between the router and the switch works, all hosts continue to have network access (so the bridge seems to work). I have also implemented traffic-flow and have enabled it across all interfaces.
My questions:
- Traffic flow does not seem to be reporting all flows, any thoughts on this?
- When looking (in winbox) at the bridge interface, how come the statistics (packets in / out, etc etc) do not reflect the combination (summation) of all the ports included in the bridge?
I currently have the device running with a bridge covering 4 of the nics. Placing it between the router and the switch works, all hosts continue to have network access (so the bridge seems to work). I have also implemented traffic-flow and have enabled it across all interfaces.
My questions:
- Traffic flow does not seem to be reporting all flows, any thoughts on this?
- When looking (in winbox) at the bridge interface, how come the statistics (packets in / out, etc etc) do not reflect the combination (summation) of all the ports included in the bridge?
JDLoaner
Is some of the traffic staying on the LAN and not going out the router?
ASKER
All traffic is working fine, that is to say hosts have no idea the mikrotic is in place, I'm just trying to understand the traffic-flow output a bit better, as I don't believe it to be reflective of all traffic going through the bridge I have set up.
Just re-read your question, yes, some traffic traffic is probably not going through the routerboard, but that would be minimal (not many hosts internally), most would be going outside. Is there any structural / logistical / implementation reasons why setting up traffic-flow on the RB would not lead to seeing all traffic going through it?
Just re-read your question, yes, some traffic traffic is probably not going through the routerboard, but that would be minimal (not many hosts internally), most would be going outside. Is there any structural / logistical / implementation reasons why setting up traffic-flow on the RB would not lead to seeing all traffic going through it?
Well in all honesty any type of SPAN/Bridge port is not going to see "everything". If you want a better guarantee a hardware tap would be more suitable, however, expensive.
ASKER
Can you maybe explain a bit about why it wouldn't see everything? Also, if I were to reconfigure the RB to act as an actual router instead of a 'transparent bridge', I would assume I would actually see all traffic that would pass through the routerboard.
I also noticed you said something about two NIC's in and two out, that to mean seems like you might be missing some traffic right there. If you want better insight to your router's traffic flow, ONLY span and view the port the router is connected to.
ASKER
ignore that part of my post, down the road I would look at maybe bonding two ports together just for throughput reasons.
At the moment I have a bridge set up on the RB that includes all ports (although only two are actually connected, eth1 for external / router, eth2 for internal / our switch). Traffic-flow is enabled and monitoring those two ports. Can you see any reason this would not see all traffic passing through the bridge?
At the moment I have a bridge set up on the RB that includes all ports (although only two are actually connected, eth1 for external / router, eth2 for internal / our switch). Traffic-flow is enabled and monitoring those two ports. Can you see any reason this would not see all traffic passing through the bridge?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
will this hamper traffic at all? I assume by enabling the firewall the default setting is 'no rules'?
Thanks,
-P
Thanks,
-P
>> will this hamper traffic at all?
not likley - there may be some impact on performance, but if your CPU is not pegged already, then you probably won't notice any difference
>> I assume by enabling the firewall the default setting is 'no rules'?
correct assumption ;-)
Cheers!
not likley - there may be some impact on performance, but if your CPU is not pegged already, then you probably won't notice any difference
>> I assume by enabling the firewall the default setting is 'no rules'?
correct assumption ;-)
Cheers!
ASKER
Thanks, I've turned on ip firewall, although I can't find any good docs to explain how this relates to traffic-flow reporting, I do seem to be getting some better information now. I've given you credit for the answer.
I do have a couple follow up questions, feel free to answer:
- Should I give ip addresses to the interfaces on the RB themselves? (I have, just wondering what difference it makes)
- Do you know of any better sources of information about routerboards and different config examples of them besides their wiki?
Thanks,
-P
I do have a couple follow up questions, feel free to answer:
- Should I give ip addresses to the interfaces on the RB themselves? (I have, just wondering what difference it makes)
- Do you know of any better sources of information about routerboards and different config examples of them besides their wiki?
Thanks,
-P
G'day,
>> - Should I give ip addresses to the interfaces on the RB themselves? (I have, just wondering what difference it makes)
I can't think of any benefit you will get from that - if you aren't routing through the system, then there's no real need for addresses bound to the interfaces at all!
>> - Do you know of any better sources of information about routerboards and different config examples of them besides their wiki?
apart from the mikrotik wiki and the mikrotik forums, there is not a great deal of info. There are some places, that have a little bit of interesting detail (e.g. http://shop.duxtel.com.au/articles.php?tPath=5) but the official site/s are still the best resource available.
Cheers!
>> - Should I give ip addresses to the interfaces on the RB themselves? (I have, just wondering what difference it makes)
I can't think of any benefit you will get from that - if you aren't routing through the system, then there's no real need for addresses bound to the interfaces at all!
>> - Do you know of any better sources of information about routerboards and different config examples of them besides their wiki?
apart from the mikrotik wiki and the mikrotik forums, there is not a great deal of info. There are some places, that have a little bit of interesting detail (e.g. http://shop.duxtel.com.au/articles.php?tPath=5) but the official site/s are still the best resource available.
Cheers!
ASKER
Thanks, I'll probably leave one port out of the bridge with a dhcp server on it (convenience) so I can manage the thing without needing to hook into the serial port , unless you have better suggestions.
Thanks for the link, I'll keep reading the wiki and forums, cheers.
-P
Thanks for the link, I'll keep reading the wiki and forums, cheers.
-P
>> I'll probably leave one port out of the bridge with a dhcp server on it (convenience) so I can manage the thing without needing to hook into the serial port
winbox can connect to a device by MAC address only - no need for an IP address there either!
Cheers.
winbox can connect to a device by MAC address only - no need for an IP address there either!
Cheers.
ASKER
that I did not know, thank you!
(I'm generally finding this device to be quite good, but the lack of 'not beginner, not expert' documentation a bit difficult. All the wiki stuff tends to be overly simplistic or lacks explanation for the more complicated stuff)
Again, thanks,
-P
(I'm generally finding this device to be quite good, but the lack of 'not beginner, not expert' documentation a bit difficult. All the wiki stuff tends to be overly simplistic or lacks explanation for the more complicated stuff)
Again, thanks,
-P
Hi,
yes - if you are not already relatively highly experienced, many of those advanced functions seem little more than 'black magic'.
There is a book though: http://shop.duxtel.com.au/product_info.php?products_id=87
available from various sellers.
Cheers!
yes - if you are not already relatively highly experienced, many of those advanced functions seem little more than 'black magic'.
There is a book though: http://shop.duxtel.com.au/product_info.php?products_id=87
available from various sellers.
Cheers!
ASKER
Hi, opening up this thread again, I've had great success with placing the RB between a networks router and switch for getting traffic flow data, now I'm trying to place it off of a spanning port (monitor port) instead of inline, anyone have any suggestions / thoughts on how well this work? Do I need to change anything on the RB itself?
-P
-P