Setting up a GRE Tunnel to send Netflow to remote machine

This document explains how to setup a point to point GRE Tunnel which will be used to route Netflow packets to a remote Trisul.

The gateway machine is at one end of the tunnel, the Trisul server is at the other end. All your routers can send Netflow to the Gateway machine on port 2055, or 5111. They will be send to the Trisul server through the tunnel.

Substitute the following settings in this guide to suit your environment

  1. Trisul Probe real IP :
  2. Gateway Node real IP : (both should be able to ping each other)
  3. Port used : UDP 5111
  4. GRE tunnel for the point to point tunnel : (not visible outside)

Ensure kernel module ip_gre is loaded

On the machine ensure the ip_gre kernel module is loaded. If you are using a LXC or Docker container ensure the kernel on the host has the module loaded

modprobe ip_gre

Loading this kernel module will create a device called gre0

Setup GRE on the gateway node

On the gateway machine with IP

Stop firewalld or ufw

ufw disable
systemctl stop firewalld 

The tunnel address

ip tunnel add gre1 mode gre remote local ttl 255
ip link set gre1 up
ip addr add dev gre1

Now the interface gre1 must be up and ready

# ip route dev gre1 proto kernel scope link src dev docker0 proto kernel scope link src linkdown dev enp2s0 proto kernel scope link src 

Use IPTables to DNAT to the remote GRE

On the gateway node.

iptables -t nat -A PREROUTING -p udp --dport 5111 -j DNAT --to-destination

Create other side of tunnel on Trisul probe node

On the Trisul probe machine with real IP

ip tunnel add gre1 mode gre remote  local  ttl 255
ip link set gre1 up
ip addr add  dev gre1

Now both sides should be able to PING the other on the and addresses.

Run Trisul on gre1 in LIBPCAP mode

Now, the Trisul Probe node will redeive all the router netflows on the new gre1 interface.

  1. Login as admin
  2. Add the gre1 capture adapter
  3. Change the mode to libpcap - this is required to capture from the gre1 interface


