This is an old revision of the document!
Table of Contents
Setting up a GRE Tunnel to send Netflow to remote machine
This document explains how to setup a point to point GRE Tunnel which will be used to route Netflow packets to a remote Trisul.
The gateway machine is at one end of the tunnel, the Trisul server is at the other end. All your routers can send Netflow to the Gateway machine on port 2055, or 5111. They will be send to the Trisul server through the tunnel.
Setup GRE on the gateway node
On the gateway machine with IP 192.169.2.81
Stop firewalld or ufw
#ubuntu ufw disable #rhel systemctl stop firewalld
The tunnel address 10.200.200.201
ip tunnel add gre1 mode gre remote 192.168.2.99 local 192.168.2.81 ttl 255 ip link set gre1 up ip addr add 10.200.200.201/30 dev gre1
Now the interface gre1 must be up and ready
ip route 10.200.200.200/30 dev gre1 proto kernel scope link src 10.10.10.99 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 192.168.2.0/24 dev enp2s0 proto kernel scope link src 192.168.2.99
Use IPTables to DNAT to the remote GRE
On the gateway node.
iptables -t nat -A PREROUTING -p udp --dport 5111 -j DNAT --to-destination 10.200.200.202:5111
Create other side of tunnel on Trisul probe node
On the Trisul probe machine with real IP 192.168.2.99
ip tunnel add gre1 mode gre remote 192.168.2.81 local 192.168.2.99 ttl 255 ip link set gre1 up ip addr add 10.200.200.202/30 dev gre1
Now both sides should be able to PING the other on the 10.200.200.201 and 10.200.200.202 addresses.
Run Trisul on gre1 in LIBPCAP mode
Now the Trisul Probe node will get all the router netflows on the new gre1 interface.
- Login as admin
- Add the gre1 capture adapter
- Change the mode to libpcap - this is required to capture from the gre1 interface
Credits
Creating a GRE tunnel http://ask.xmodulo.com/create-gre-tunnel-linux.html