Run ntopng on 2100 or port mirror to an RPi?
-
I'd like to know if it's a bad idea to run ntopng on the 2100, or if it is up to the task of running ntopng for weeks/months (and I just need to install it manually instead).
I installed ntopng on my 2100 (running 23.05.1) & it is definitely not stable - can't seem to remain running for even a day. I only have 4 pkgs installed (avahi, aws-wizard, ip-sec-profile-wizard, and ntopng).
I have an old RPi 3B I could set up if the 2100 can't mange it but would prefer to avoid this effort if it's not needed. (one would think for $350 that the 2100 could handle it)
I would really appreciate your thoughts on this. (Motivation: I am barely running over my 1.2TB limit on xfinity & I am trying to figure out why. I've had to bump up to the unlimited plan for +$30/mo in the mean time. Only 3 ppl in the house.)
-
@pazmanian not familiar with it and I don’t have a reason why it can’t run, but it does have heavy writes and needs an SSD/max version. See
https://www.netgate.com/supported-pfsense-plus-packages -
@pazmanian ntopng isnt really the tool to help you out with this, IMO.
- Depending on the amount of flows going on through your router that could be very taxing on an ARM chip. Wouldnt even try ntop on anything that doesnt at least have an intel - base model is SG-4100
- What ive been doing and its been pretty successful is using Squid. I set up a transparent proxy with SSL intercept. You are not actually installing certs on your devices but you are just transparently intercepting traffic destined for port 80 and 443. I then install LightSquid for reporting. After a few minutes, you start seeing sites visited by clients and how much data was exchanged. You get reporting back on what "big" files were downloaded. I want to be clear , because you are not breaking into the SSL packet you have no idea if whats being downloaded is a .mp4 or .iso or whatever but you do know the site that was visited and by whom which should be good enough especially if you rnetwork has a lot of IoT devices.
Is it the prettiest reporting? Nope..Does it meet your requirement? Absolutely.
Here is a screenshot of what one of my home devices is doing. My daughter's iPad. She loves Roblox.
edit - im not opposed to ntopng but the community edition on pfSense is quite useless. It doesnt track historical flows and by whom so you have no idea who is taking up the most bandwidth and which application. Its good for real-time activity but most people want to track things over time.
edit 2 - another screen shot. As you can see over the last 4 days thus far, Squid has tracked 94GB of data. This is most likely the type of information you want to see and start digging into ..
-
Let me give a real world example of what just happened in my household a few minutes ago and maybe you can take it and run with it on your network.
Our youngest child like to watch a program called "Happy Kids" on the smart TV in his room. The wife dislikes this program. Im a dad im in partial but hey the boss comes to me and says to block it.
How do i block an application on the TV? What should i look for. happykids.com ?The first thing i knew was that my child watches this alot so it should show up in the Lightsquid report as a high talker - lots of data exchanged. I go to the reporting and i see a site that sits at number 1 for most bytes
I researched the domain and i noticed that llnwi.net is a CDN. Using some logic this is most likely how the site is pulling data.
I go into SquidGuard where in my target ACL tab i add the domain llnwi.net.
I then go into my GroupACL where i have my kids wlan vlan setup and added that domain. I want to specifically only block it for my Kids VLAN.
I apply the ACL , save settings , and now its blocked. The app still launches but nothing can be played.This is something you can do on your own if you find something eating up your bandwidth at your house. NTOPNG could not at all help you with this unless it was a real-time flow. I tracked down this domain over the course of several days using the reporting so i was reasonably certain i could block this and end and make the wife happy. She is the boss after all.
-
@pazmanian I have NTopNG package running on my SG-2100 MAX for a couple of weeks now without issues.
In ealier versions stability has been quite an issue, but it seems stable now on 23.05.1I have Fiber, and while I can do about 550Mbit up/down on my SG-2100 that figure drops with NTopNG to about 450mbit.
But I have to agree with @michmoor - The Community edition is borderline useless unless we are talking Real time monitoring. The intire alerting, Grouping, DPI and history part of the product is useless because of the MASSIVE feature limitation of the community edition.
-
To explain better, the max/SSD is important so it doesn’t kill an eMMC prematurely.
-
@keyser said in Run ntopng on 2100 or port mirror to an RPi?:
SG-2100 MAX
keyser, Thanks. did you pay the EU400 for the pro version of NTOPNG? That's far too much for my needs.
-
@SteveITS - Thanks - I now see the value of the MAX for logs... a 256GB M.2 was dirt cheap, so I ordered on of those.
-
@michmoor - Definitely looks worth exploring - much appreciated!
-
@pazmanian said in Run ntopng on 2100 or port mirror to an RPi?:
@keyser said in Run ntopng on 2100 or port mirror to an RPi?:
SG-2100 MAX
keyser, Thanks. did you pay the EU400 for the pro version of NTOPNG? That's far too much for my needs.
No - I’m running community edition. I don’t even think you can actually license the NTOPNG in the pfsense package
-
@keyser you can’t. I did open a feature request in redmine to allow the option to put in a professional key.
