Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal - ntopng

    Scheduled Pinned Locked Moved Captive Portal
    5 Posts 3 Posters 714 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WD_Doug
      last edited by

      I am a newbie to pFsense, however have been able to successfully get v2.4.4 setup, running on my test LAN, and also the Captive Portal forcing test users to authenticate by accept the end user acceptance policy and authenticating via a user account. It's in a local department testing stage only currently. I would like to be able to see either by real time info, or by running a report of where a particular MAC has been.

      For example, on occasion the department gets a copy right violation letter from the ISP in the mail, it normally only identifies a something such as a MAC address / website / game or movie that was downloaded / etc that has caused this copy right violation. Currently on this dirty network we have no way to track a particular MAC, where its been and or what sites its been visiting. Welcome pFsense firewall.

      With pFsense I am able to set it on the LAN side, monitor the MAC's as I will be implementing a MAC registration process with the IT department so that I can do some MAC filtering.

      Sorry this is so long, however is "ntopng" the utility that I am looking for that will accomplish this for me? I want to be able to run a report, or look in the log, to see where a user has been, what they have been doing and what websites any particular MAC has been visiting.

      Thanks for your expert advice and recommendations in advance!

      Doug

      F 1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        i don't know about ntopng but you can also install squid + lightsquid that can tell you what someone inside your lan is visiting, it make a log of all web sites, there is realtime also. maybe a combination of both can help you. it's not useful if people inside your lan is using torrent or some p2p, in that case you should block the port or use pfblockerng-devel
        also snort/suricata have rules that block p2p
        that would prevent or make p2p painful to use at least
        prevention is better than cure.

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        W 1 Reply Last reply Reply Quote 1
        • F
          free4 Rebel Alliance @WD_Doug
          last edited by free4

          well
          let's debunk some conspiracy theories first

          @WD_Doug said in Captive Portal - ntopng:

          the department gets a copy right violation letter from the ISP in the mail, it normally only identifies a something such as a MAC address

          no.
          because if the very nature of how IP network works, ISP can't know the MAC addresses of any end user device.

          the only MAC address that your ISP might see would be the one of the WAN network card on your pfsense.

          because your pfSense is also likely having NAT between LAN and WAN, your ISP also can't know what IP internal addresses requested the file on your network. from the ISP point of view, only one IP address is connected to his network : the one attached to your WAN network card.

          @WD_Doug said in Captive Portal - ntopng:

          For example, on occasion the department gets a copy right violation letter from the ISP in the mail

          this is unlikely to happen, because ISP tend to focus the pressure on content providers(eg, websites hosting bad content) and not content consumers. DMCA takedown apply to dealers / broadcasters, not to end users

          the only case where you may receive that kind of letter is torrenting. if one of your user is sending a copyrighted file through torrents, you may get a letter as your IP was used for broadcasting

          Law enforcement/ISP are usually checking torrents uploads by monitoring torrents trackers, looking for seeders in the country IP range. that's at least how it is done in France (HADOPI) and in few North European countries

          Sorry this is so long, however is "ntopng" the utility that I am looking for that will accomplish this for me? I want to be able to run a report, or look in the log, to see where a user has been, what they have been doing and what websites any particular MAC has been visiting.

          I think what you are really looking for is dashboards/reporting on DNS logs+DHCP logs

          pfSense may record DNS queries and DHCP requests made by your users. you may send these logs to an external analytics server (such as splunk or graylog), so that you could perform monitoring /dashboards on your users traffic

          W 1 Reply Last reply Reply Quote 0
          • W
            WD_Doug @free4
            last edited by

            @free4
            Thanks for the clarification of the MAC / IP that is being seen by the ISP. Correct, they would only be able to see to the embarkation point of where their network ends, and that would be the MAC / IP of the provided cable modem router from Mediacom. I should have been more clear. ☺

            f794da23-98d6-4587-aab6-44c6d2555fd2-image.png

            Likely the case, torrenting. We have received 5 letters this year so far. In going back and re-reading one of them it does reference that "someone has posted, transmitted, or shared with others certain copyrighted material without the permission of the owner." 1 referenced a game "King of Thrones", another referenced some kid movie Alladin, another referenced Mary Poppins Returns. Most appear to be movies so as you stated they are either sharing them via a torrent program or either downloading them via a torrent program.

            Thanks again for the feedback I appreciate it.

            1 Reply Last reply Reply Quote 0
            • W
              WD_Doug @kiokoman
              last edited by

              @kiokoman - Thanks for the feedback. I haven't thought about squid. I will have to look in to it and research it a little. Then I can have a look at installing it to see some of its configuration & settings.

              Thanks again......

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.