Setting up Netflow on UniFi Security Gateway
In my last post, I showed how to use the config.gateway.json file to setup a conditional forwarder in a UniFi Security Gateway. Since the UniFi Security Gateway runs the EdgeOS firmware underneath, you can set just about anything that you would be able to configure on an EdgeRouter on the security gateway.
This time around, I found myself looking to setup netflow monitoring. If you're not familiar, NetFlow is a tool used to monitor network traffic to recognize source of congestion, traffic irregularities, and other useful data on the network. It can be a little difficult if you want to set up a NetFlow monitoring system yourself, but there are many tools that can ingest NetFlow data.
I won't go over again how to find the config.gateway.json file for your gateway or what it is. If you want that, you can read my last post. For the NetFlow collection server, I'm running nfdump on a Raspberry Pi. When you install nfdump, it automatically sets up a NetFlow collector on port 2055. So here is what I can add to the config.gateway.json file to enable collection:
"system": {
"flow-accounting": {
"ingress-capture": "post-dnat",
"interface": "eth0",
"netflow": {
"version": "9",
"server": {
"192.168.1.2": {
"port": "2055"
}
}
}
}
}In the json above, my NetFlow collector is running on 192.168.1.2. After adding that to the json file, force your gateway to reprovision. eth0 is the LAN 1 port on a USG Pro 3.
Bonus tip
UniFi Security Gateways run on Debian, so there's some pretty powerful tools built into the OS of the appliance. If you ssh into the gateway you can test if the NetFlow data is sending by running the following command:
sudo tcpdump -i any -n port 2055After a moment, you should see tcpdump output the packets being sent to port 2055 across any of the gateway's interfaces. TCPDump is extremely powerful if you want to look at raw network data flowing across the gateway.