In the video below, we cover every step of configuration using WinBox.
After making all changes as presented in the video, change src address for Netflow target to router IP to avoid issues with Netflow delivery to Linux machine. If you keep it as 0.0.0.0, Linux will discard such traffic.
From FastNetMon Advanced side, you need to change average_calculation_time:
sudo fcli set main average_calculation_time 60 sudo fcli commit
If you prefer to use command line you can continue and use instructions below.
As the first step, please open the NetFlow configuration:
/ip traffic-flow
And enable NetFlow for all ports with affordable timeouts:
set enabled=yes set interfaces=all set cache-entries=128k set active-flow-timeout=00:00:30 set inactive-flow-timeout=00:00:30
128k value works for almost all carrier-grade devices. In case you encounter issues, try 64k, 32k, or 16k instead.
Change to Netflow target configuration:
/ip traffic-flow target
And specify FastNetMon here by replacing 192.168.88.13 by address of machine with FsatNteMon installed. You will need to replace 10.0.0.1 by IP of your router.
add dst-address=192.168.88.13 src-address=10.0.0.1 port=2055 version=9 v9-template-refresh=1000 v9-template-timeout=15
- v9-template-timeout configures delay in seconds between repeat submissions of Netflow templates to collector.
- v9-template-refresh configures number of Netflow data packets after sending which Mikrotik will send Netflow template to collector again.
Sampling enabled Netflow and IPFIX
Flow tracking process is very expensive in terms of CPU resources and you can reduce CPU usage on router during DDoS attacks by enabling flow sampling.
FastNetMon supports sampling for Router OS 6 and 7.
To enable sampling on Mikrotik, you need to apply the following commands:
/ip/traffic-flow/set packet-sampling=yes sampling-interval=1 sampling-space=1000
After that, enable the following flag on FastNetMon side:
sudo fcli set main netflow_v9_read_sampling_rate_in_data_section true sudo fcli commit
To address bug in Router OS 6 sampling implementation you will need to enable logic to ignore sampling rate announcements from router as they’re encoded incorrectly:
sudo fcli set main netflow_ignore_sampling_rate_from_device enable sudo fcli commit
After that, specify the sampling rate manually:
sudo fcli set main netflow_sampling_ratio 1000 sudo fcli set main netflow_custom_sampling_ratio_enable enable sudo fcli commit
If you configured everything correctly but all counters on FastNetMon are zero, check that source IP for NetFlow/IPFIX on Mikrotik side is not set to 0.0.0.0 but set to correct IP address. Linux discards traffic when it’s coming from 0.0.0.0 as it’s not legitimate IP address. Such packets are called martian.
If you experience any issues, we can recommend upgrade to latest stable version of RouterOS as it may address previously known issues.