Captive Portal - ntopng



  • I am a newbie to pFsense, however have been able to successfully get v2.4.4 setup, running on my test LAN, and also the Captive Portal forcing test users to authenticate by accept the end user acceptance policy and authenticating via a user account. It's in a local department testing stage only currently. I would like to be able to see either by real time info, or by running a report of where a particular MAC has been.

    For example, on occasion the department gets a copy right violation letter from the ISP in the mail, it normally only identifies a something such as a MAC address / website / game or movie that was downloaded / etc that has caused this copy right violation. Currently on this dirty network we have no way to track a particular MAC, where its been and or what sites its been visiting. Welcome pFsense firewall.

    With pFsense I am able to set it on the LAN side, monitor the MAC's as I will be implementing a MAC registration process with the IT department so that I can do some MAC filtering.

    Sorry this is so long, however is "ntopng" the utility that I am looking for that will accomplish this for me? I want to be able to run a report, or look in the log, to see where a user has been, what they have been doing and what websites any particular MAC has been visiting.

    Thanks for your expert advice and recommendations in advance!

    Doug


  • LAYER 8

    i don't know about ntopng but you can also install squid + lightsquid that can tell you what someone inside your lan is visiting, it make a log of all web sites, there is realtime also. maybe a combination of both can help you. it's not useful if people inside your lan is using torrent or some p2p, in that case you should block the port or use pfblockerng-devel
    also snort/suricata have rules that block p2p
    that would prevent or make p2p painful to use at least
    prevention is better than cure.


  • Rebel Alliance

    well
    let's debunk some conspiracy theories first

    @WD_Doug said in Captive Portal - ntopng:

    the department gets a copy right violation letter from the ISP in the mail, it normally only identifies a something such as a MAC address

    no.
    because if the very nature of how IP network works, ISP can't know the MAC addresses of any end user device.

    the only MAC address that your ISP might see would be the one of the WAN network card on your pfsense.

    because your pfSense is also likely having NAT between LAN and WAN, your ISP also can't know what IP internal addresses requested the file on your network. from the ISP point of view, only one IP address is connected to his network : the one attached to your WAN network card.

    @WD_Doug said in Captive Portal - ntopng:

    For example, on occasion the department gets a copy right violation letter from the ISP in the mail

    this is unlikely to happen, because ISP tend to focus the pressure on content providers(eg, websites hosting bad content) and not content consumers. DMCA takedown apply to dealers / broadcasters, not to end users

    the only case where you may receive that kind of letter is torrenting. if one of your user is sending a copyrighted file through torrents, you may get a letter as your IP was used for broadcasting

    Law enforcement/ISP are usually checking torrents uploads by monitoring torrents trackers, looking for seeders in the country IP range. that's at least how it is done in France (HADOPI) and in few North European countries

    Sorry this is so long, however is "ntopng" the utility that I am looking for that will accomplish this for me? I want to be able to run a report, or look in the log, to see where a user has been, what they have been doing and what websites any particular MAC has been visiting.

    I think what you are really looking for is dashboards/reporting on DNS logs+DHCP logs

    pfSense may record DNS queries and DHCP requests made by your users. you may send these logs to an external analytics server (such as splunk or graylog), so that you could perform monitoring /dashboards on your users traffic



  • @free4
    Thanks for the clarification of the MAC / IP that is being seen by the ISP. Correct, they would only be able to see to the embarkation point of where their network ends, and that would be the MAC / IP of the provided cable modem router from Mediacom. I should have been more clear. ☺

    f794da23-98d6-4587-aab6-44c6d2555fd2-image.png

    Likely the case, torrenting. We have received 5 letters this year so far. In going back and re-reading one of them it does reference that "someone has posted, transmitted, or shared with others certain copyrighted material without the permission of the owner." 1 referenced a game "King of Thrones", another referenced some kid movie Alladin, another referenced Mary Poppins Returns. Most appear to be movies so as you stated they are either sharing them via a torrent program or either downloading them via a torrent program.

    Thanks again for the feedback I appreciate it.



  • @kiokoman - Thanks for the feedback. I haven't thought about squid. I will have to look in to it and research it a little. Then I can have a look at installing it to see some of its configuration & settings.

    Thanks again......


Log in to reply