Known bugs
We’re aware that Netflow v9 is completely broken in Router OS v7.12 and we’re not aware about fix for it. If you’re affected by this issue please report it to support@mikrotik.com
Introduction
We have video which covers every single step of configuration using WinBox.
After making all changes as in video you must change src address for Netflow target to router IP to avoid issues with Netflow delivery to Linux machine. If you keep it as 0.0.0.0 Linux will discard such traffic.
And from FastNetMon Advanced side you need to change average_calculation_time:
sudo fcli set main average_calculation_time 60 sudo fcli commit
If you prefer to use command line you can continue and use instructions below.
As first step, please open Netflow configuration:
/ip traffic-flow
And enable Netflow for all ports with affordable timeouts:
set enabled=yes set interfaces=all set cache-entries=128k set active-flow-timeout=00:00:30 set inactive-flow-timeout=00:00:30
128k value works for almost all carried-grade devices. But if it does not work for you, try 64k, 32k, 16k.
Change to Netflow target configuration:
/ip traffic-flow target
And specify FastNetMon here by replacing 192.168.88.13 by address of machine with FsatNteMon installed. You will need to replace 10.0.0.1 by IP of your router.
add dst-address=192.168.88.13 src-address=10.0.0.1 port=2055 version=9 v9-template-refresh=1000 v9-template-timeout=15
- v9-template-timeout configures delay in seconds between repeat submissions of Netflow templates to collector.
- v9-template-refresh configures number of Netflow data packets after sending which Mikrotik will send Netflow template to collector again.
Sampling enabled Netflow and IPFIX
Flow tracking process is very expensive in terms of CPU resources and you can reduce CPU usage on router during DDoS attacks by enabling flow sampling.
FastNetMon supports sampling for Router OS 6 and 7.
To enable sampling on Mikrotik you need to apply following commands:
/ip/traffic-flow/set packet-sampling=yes sampling-interval=1 sampling-space=1000
After that you need to enable followings flag on FastNetMon side:
sudo fcli set main netflow_v9_read_sampling_rate_in_data_section true sudo fcli commit
To address bug in Router OS 6 sampling implementation you will need to enable logic to ignore sampling rate announcements from router as they’re encoded incorrectly:
sudo fcli set main netflow_ignore_sampling_rate_from_device enable sudo fcli commit
After that you have to specify sampling rate manually:
sudo fcli set main netflow_sampling_ratio 1000 sudo fcli set main netflow_custom_sampling_ratio_enable enable sudo fcli commit
If you configured everything correctly but all counters on FastNetMon are zero please check that source IP for Netflow / IPFIX on Mikrotik side is not set to 0.0.0.0 but set to correct IP address. Linux discards traffic when it’s coming from 0.0.0.0 as it’s not legitimate IP address. Such packets are called martian.
If you experience any issues we can recommend upgrade to latest stable version of RouterOS as it may address previously known issues.