![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
After years of running UTMs, I have been running an ERL for quite some time now. I bought it years ago, ran it for a while, went back to the UTM, then finally permanently back to the ERL a couple years ago. It's great, I feel I've built a good ACL-based firewall on it, and after getting it set up it's been very hands-off. No more chasing log files for blocked traffic, very few overall headaches.
BUT...
I miss the traffic accounting and reports that the UTMs provide (and one other feature--the email relay in Sophos so my network could email me stuff without recompiling Sendmail). They are very detailed and helpful in identifying any issues with rogue devices, etc... and just my own curiosity. So I'm looking to get that back and of course the first step is SNMP/log server, but as I understand it that isn't necessarily going to give a complete picture so running it with netflow is the next step. Now I feel like I'm going down a rabbit hole, and netflow can have performance impacts on this router. Is this the best way to go, or is it going to be easier to go with a router distribution that already has all this stuff built in (and not using all the Snort stuff)? I still think I need to setup a syslog server to keep tabs on some things on my network, so setting up ntop or whatever may not be a big step further. Are there similar appliance-like devices that have this accounting that I should consider? I think the Mikrotik hex S has The Dude now built in or something--another learning curve--or maybe there's a basic Fortigate or something I'd also consider.
I'm still learning about netflow, so it's just a monolith at the moment. This stuff is interesting and fun, but it's not my day job so it has little economic incentive to learn.
I have tons of hardware laying around (way too much) that I can play with just about anything I think.
BUT...
I miss the traffic accounting and reports that the UTMs provide (and one other feature--the email relay in Sophos so my network could email me stuff without recompiling Sendmail). They are very detailed and helpful in identifying any issues with rogue devices, etc... and just my own curiosity. So I'm looking to get that back and of course the first step is SNMP/log server, but as I understand it that isn't necessarily going to give a complete picture so running it with netflow is the next step. Now I feel like I'm going down a rabbit hole, and netflow can have performance impacts on this router. Is this the best way to go, or is it going to be easier to go with a router distribution that already has all this stuff built in (and not using all the Snort stuff)? I still think I need to setup a syslog server to keep tabs on some things on my network, so setting up ntop or whatever may not be a big step further. Are there similar appliance-like devices that have this accounting that I should consider? I think the Mikrotik hex S has The Dude now built in or something--another learning curve--or maybe there's a basic Fortigate or something I'd also consider.
I'm still learning about netflow, so it's just a monolith at the moment. This stuff is interesting and fun, but it's not my day job so it has little economic incentive to learn.
I have tons of hardware laying around (way too much) that I can play with just about anything I think.