Setting Up NetFlow Export
Configure MikroTik, Cisco, Juniper and softflowd exports so ISPBills can analyse NetFlow traffic reliably.
Configure routers, switches and Linux collectors to export NetFlow records into ISPBills so traffic data appears in the monitoring dashboard.
Complete this guide after the NetFlow add-on is enabled for your organisation. The overview explains what the module analyses.
Prerequisites
Before configuring exporters, confirm these requirements.
| Requirement | Details |
|---|---|
| NetFlow add-on | Enabled for your active ISPBills subscription or trial |
| Network reachability | Routers can reach the ISPBills collector IP over the management or routing path |
| UDP port | Firewall rules allow exporter-to-collector UDP traffic on the configured port |
| Time sync | Routers and the ISPBills server use NTP so flow timestamps align |
Find the Collector Address and Port
In ISPBills, open Settings → NetFlow or Monitoring → NetFlow and copy the collector IP address and UDP port shown in the collector panel.
| Field | What to copy |
|---|---|
| Collector address | The ISPBills server IP or hostname reachable by routers |
| UDP port | The listener port assigned to your account |
| Flow version | Prefer NetFlow v9 or IPFIX where supported |
If routers sit behind NAT, export flows to an address that remains stable from the router side. Avoid dynamic public IPs for collector targets.
MikroTik RouterOS NetFlow v9
Use RouterOS /ip traffic-flow and /ip traffic-flow target to export NetFlow v9 records. Replace the collector address and port with values from ISPBills.
/ip traffic-flow set enabled=yes interfaces=all cache-entries=64k active-flow-timeout=30m inactive-flow-timeout=15s
/ip traffic-flow target add dst-address=203.0.113.10 port=2055 version=9
To export only specific interfaces, replace interfaces=all with a comma-separated list.
/ip traffic-flow set enabled=yes interfaces=ether1,pppoe-out1
/ip traffic-flow target print
RouterOS usually starts exporting within a minute. Check Monitoring → NetFlow → Sources to confirm the MikroTik device appears.
Cisco IOS NetFlow Export
Classic Cisco IOS uses ip flow-export and interface-level ip flow commands.
configure terminal
ip flow-export destination 203.0.113.10 2055
ip flow-export version 9
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
interface GigabitEthernet0/0
ip flow ingress
ip flow egress
exit
interface GigabitEthernet0/1
ip flow ingress
ip flow egress
end
write memory
For older devices that only support NetFlow v5, change the version line.
ip flow-export version 5
Juniper Overview
Juniper platforms normally use sampling and a flow-server target. Exact syntax varies between Junos releases and line cards, but the pattern is consistent.
set forwarding-options sampling input rate 1000
set forwarding-options sampling family inet output flow-server 203.0.113.10 port 2055
set forwarding-options sampling family inet output flow-server 203.0.113.10 version9 template template-v9
set interfaces ge-0/0/0 unit 0 family inet sampling input
commit
| Juniper item | Guidance |
|---|---|
| Sampling rate | Start with 1:1000 on busy edges, then adjust after checking accuracy |
| Flow format | Use version 9 or IPFIX if available |
| Interface scope | Enable sampling only on transit or customer-facing interfaces you need to analyse |
Linux / softflowd
Use softflowd when a Linux bridge, mirror port, tap or non-managed segment must export flows to ISPBills.
sudo apt update
sudo apt install softflowd
sudo softflowd -i eth1 -n 203.0.113.10:2055 -v 9 -t maxlife=60
For a persistent systemd-based setup, place equivalent options in your distribution's softflowd defaults file and restart the service.
sudo systemctl enable softflowd
sudo systemctl restart softflowd
sudo systemctl status softflowd
Only run software flow exporters on interfaces where packet capture is authorised. Mirrored traffic may include customer metadata.
Sampling Rate Guidance
Sampling reduces router CPU and export volume on large networks. Use unsampled NetFlow for small networks or troubleshooting, and sampled NetFlow for busy aggregation or core links.
| Network size | Suggested ratio | Notes |
|---|---|---|
| Small access network | 1:1 | Best detail when router resources are comfortable |
| Mid-tier up to 2,000 customers | 1:100 to 1:500 | Good balance for aggregation routers |
| Large-tier 2,001+ customers | 1:500 to 1:2000 | Use on high-throughput core or peering links |
| DDoS or incident review | Temporarily lower ratio | Increase detail only while investigating |
Verify Flows in ISPBills
After applying exporter configuration, open Monitoring → NetFlow and check the Sources or Live Flows panel.
| Check | Expected behaviour |
|---|---|
| Source visible | Router IP appears with a recent last-seen timestamp |
| Live flows | New records arrive within 1-2 minutes |
| Interface names | Appear when exporter templates include interface indexes or names |
| Traffic graphs | Update after enough samples are received |
Firewall and NAT Considerations
Allow outbound UDP from each exporter to the ISPBills collector and inbound UDP on the collector port. If NAT is used, document the translated source IP so operators recognise the source in ISPBills.
If flows do not appear, compare the router export destination with the collector address, then test UDP reachability from the router path before changing ISPBills settings.