A Guide to current NtopNG on pfSense 2.6/22.01 :-)

keyser

So.... after a lot of frustrations with the current - buggy - NtopNG package for pfSense (Which is very seldomly updated), I decided to investigate how NtopNG actually works on pfSense - with the hope of being able to update to a current NtopNG v5.3 build.

Turned out that was a lot easier than I thought, so I decided to write this short guide to help people get a current NtopNG version on pfSense.

A couple of important observations:

• ntop.org actually has a guide on how to install a current NtopNG on pfSense. But it relies on installing it as a service which is not supported or maintained across pfSense updates.
• ntop.org daily publish the current NtopNG build for freeBSD/pfSense to their own repository - AMD64 only, so it's easy to get the most current version for x86-64 based devices.
• The current pfSense NtopNG package (0.8.13_10) contains an old v5.0 NtopNG build for pfSense 2.6/22.01 and a v4.0 build for older pfSense versions and ARM64/aarch64 based appliances. Both are buggy as he**, and in dire need of version updates.

After a bit of investigation I found out that NtopNG can run both as a Service and as a launched process Daemon - the latter being the way pfSense packages provides "services". So after investigating further I found out that the 0.8.13_10 package is merely a wrapper that provides the pfSense interface part of having a standard NtopNG install run as a launched process Daemon.

So I figured out a standardized way to change the NtopNG version used in the pfSense package.
There are two different guides.

—————————————————————————-

The first guide is how to update Intel/AMD64 based devices to the current latest build provided by ntop.org:

1: Install the pfSense "ntopng" package (0.8.13_10) that is available in the package manager

2: SSH to your pfSense, and open a Command Shell (option 8)

3: Remove ONLY the buggy NtopNG v5.0.xxx package that was installed by the pfSense package. This is done by running the command:

pkg remove -f ntopng

4: Remove the legacy ndpi package that was installed by the pfSense package. This is done by running the command:

pkg remove -f ndpi

5: Clean up the left over files from the old package. This is done by running the command(s):

rm -r /var/db/ntopng
rm -r /usr/local/share/ntopng

6: Add the ntop.org repository to your pfSense so it always can get/update to the latest ntopng build for pfSense. This is done by running the command:

pkg add https://packages.ntop.org/FreeBSD/FreeBSD:12:amd64/latest/ntop-1.0.txz

7: Install the latest NtopNG build for FreeBSD12/pfSense by running the command:

pkg install ntopng

8: We then need to make sure NtopNG is launched in community edition and not expecting a license file. This is done my modifying ntopng.inc from the pfSense ntop package. This is done by running the command:

vi /usr/local/pkg/ntopng.inc

• Find section: "# Create DB dir before starting, in case it was removed. Otherwise redis will fail."
• Locale the line: "/usr/local/bin/ntopng -d /var/db/ntopng -G /var/run/ntopng.pid -s -e {$http_args} {$disable_alerts} {$dump_flows} {$ifaces} {$dns_mode} {$aggregations} {$local_networks} &"
• Insert: --community between {$local_networks} and the & symbol so the line looks like this:
  "/usr/local/bin/ntopng -d /var/db/ntopng -G /var/run/ntopng.pid -s -e {$http_args} {$disable_alerts} {$dump_flows} {$ifaces} {$dns_mode} {$aggregations} {$local_networks} --community &"
• Save the file and exit vi by pressing escape and type wq! and ENTER

8: You can now use the ntopng settings menu in "DIAGNOSTICS -> ntopng settings" to configure the basics of your NtopNG and add Maxmind2 Geolocation support.

9: Remember to enable the service and press save.

I have only found two caveats:

• The current 5.3 build has a "restart Service" in the user menu that does not work as expected when running as a daemon. So ignore that and restart NtopNG from the pfSense GUI as you normally would.
• Until NtopNG has been started and logged into for the first time (admin/admin), the Password setting in the DIAGNOSTICS -> ntopng settings menu has no effect. After that it works as expected. But remeber - the password is saved in clear text in your pfSense config.xml, so use something else than your FW password :-)

If you ever want to update to a newer/later build, simply run "pkg upgrade ntopng" in the shell. The remaining settings should stay in place.

———————————-——————————-

This second guide is for aarch64/ARM64 based appliances and is quite different as ntop.org does not publish aarch64 builds for ARM (low end netgate appliances like SG-1x00/SG-2100). So we need to use the latest port available in pkg.freebsd.org’s ports repository. Right not that is only updated quarterly for FreeBSD 12 on aarch64, and is based on the stable v5.2.xxxx branch compared to the current v5.3.xxxxx developer branch provided by ntop.org.

1: Complete steps 1 though 5 from the first guide.

2: Install the prerequisite packages and the quarterly NtopNG package from FreeBSD org by completing the following commands:

pkg add http://pkg.freebsd.org/FreeBSD:12:aarch64/quarterly/all/lua54-5.4.2,1.txz
pkg add http://pkg.freebsd.org/FreeBSD:12:aarch64/quarterly/all/ndpi-4.2.d20220210_1,1.txz
pkg add http://pkg.freebsd.org/FreeBSD:12:aarch64/quarterly/all/ntopng-5.2.d20220314_1,1.txz

3: You can now use the ntopng settings menu in "DIAGNOSTICS -> ntopng settings" to configure the basics of your NtopNG and add Maxmind2 Geolocation support.

4: Remember to enable the service and press save.

There is no need to modify the ntopng.inc file on ARM as that runs default in community edition.

I have only found two caveat:

• Until NtopNG has been started and logged into for the first time (admin/admin), the Password setting in the DIAGNOSTICS -> ntopng settings menu has no effect. After that it works as expected. But remeber - the password is saved in clear text in your pfSense config.xml, so use something else than your FW password :-)
• You cannot upgrade the NtopNG package just by doing pkg upgrade like on Intel/AMD64. So you are stuck at the current quarterly build in the repository until you uninstall it and install a later version.

Happy updating guys :-)

psp

Just setup following your steps on 22.01. All is up-and-running in 5 minutes.

After a firewall reboot it seems settings are not retained. I'll do some more test.

Thanks keyser!

netblues

@keyser Worked as expected on 22.1 with all available patches.

Haven't restarted firewall yet though.

keyser

@psp said in A Guide to current NtopNG on pfSense 2.6/22.01 :-):

Just setup following your steps on 22.01. All is up-and-running in 5 minutes.

After a firewall reboot it seems settings are not retained. I'll do some more test.

Thanks keyser!

That’s weird. Mine retains settings - both the pfSense GUI ntopng settings, and the multitude of settings and configurations inside NtopNG.

psp

@keyser said in A Guide to current NtopNG on pfSense 2.6/22.01 :-):

Mine retains settings - both the pfSense GUI ntopng settings, and the multitude of settings and configurations inside NtopNG

Thanks for your feedback. I'll check if this is related to my configuration (I'm currently using RAM for /tmp and /var).

In any case, thanks to your guide, I'm planning to shutdown the dedicated ntopng VM connected to SPAN port.

psp

ntopng is started by default with db in /var (/usr/local/bin/ntopng -d /var/db/ntopng).

If "Use RAM Disks" is enabled this path is located on tmpfs.

To keep all data I moved ntopng data to a persistent file system (modifying the startup script accordingly).

keyser

@psp said in A Guide to current NtopNG on pfSense 2.6/22.01 :-):

ntopng is started by default with db in /var (/usr/local/bin/ntopng -d /var/db/ntopng).

If "Use RAM Disks" is enabled this path is located on tmpfs.

To keep all data I moved ntopng data to a persistent file system (modifying the startup script accordingly).

Ahh, makes sense then.

Be aware though that NtopNG - depending on settings - can be very write IO aggressive and can/will exhaust the write endurance on very small (8 - 32Gb) eMMC/SSD's relatively quickly.
With my current settings on a home network it would exhaust my SG-6100s 16Gb eMMC in about a year. So I opted to install a 512GB SSD to make sure I can write "as I please" without thinking about i. I assume you had RAM disk enabled for a reason :-)

psp

@keyser said in A Guide to current NtopNG on pfSense 2.6/22.01 :-):

I assume you had RAM disk enabled for a reason

You're right! 512 GB SSD here as well.
I actually simply don't care to loose some data (RRD and long term Logs) between reboots (SSD is rated at 1 DWPD with a current estimate life of 10 years..)
;-)

cyphonsqr

Thanks for the great write up @keyser. :)
I had an error with Redis (not being started), but it was fixed by rebooting the box (Netgate 4860 desktop).
System: 22.01 Plus (zfs).

Regarding RAM Disk, my box only has 8GB RAM and 32GB eMMC and I would like to store historic ntopng data without excessive wear on the disk. I'm happy to lose ~12hours of ntop data (from reboots, power failures, etc.), if that helps minimise undue wear on the disk.

Do you have any suggestions for RamDisk settings to achieve this?

Unfortunately I won't be installing larger RAM/eMMC.

keyser

@cyphonsqr said in A Guide to current NtopNG on pfSense 2.6/22.01 :-):

Thanks for the great write up @keyser. :)
I had an error with Redis (not being started), but it was fixed by rebooting the box (Netgate 4860 desktop).
System: 22.01 Plus (zfs).

Regarding RAM Disk, my box only has 8GB RAM and 32GB eMMC and I would like to store historic ntopng data without excessive wear on the disk. I'm happy to lose ~12hours of ntop data (from reboots, power failures, etc.), if that helps minimise undue wear on the disk.

Do you have any suggestions for RamDisk settings to achieve this?

Unfortunately I won't be installing larger RAM/eMMC.

Unfortunately I have very little experience using RAMdisk on pfSense. But I do know that retaining data/settings in NtopNG will not work if you enable RAM disk - even if you enable some of the “flush xxx dir to disk” features in the RAMdisk setup. Thats because /var/db/ntopng is not included in any of the built in flush/restore scripts of specific directories to/from RAMdisk.

So as I see it you have three options:

1: Get a bigger SSD or Attempt to minimize write I/O to a level you are comfortable with on your eMMC
2: Do some experimenting with the process launch settings in the ntopng.inc file where you added the --community setting. There is a -d option set that explains where NtopNG should store its data/settings (default /var/db/ntopng). You could attempt to store that in one of the directories that are covered by the RAMdisk periodic flush/restore at startup feature. I have no Idea if it will work though.
3: Create your own periodic cron job that flushes /var/db/ntopng to disk, and importantly, restores it at bootup and before NtopNG service start.

cyphonsqr

@keyser
Thanks for all that.

I wonder if I could use a cheap 64GB USB drive as the RAMDisk, and not need to worry about wearing out the onboard eMMC.
If you have any thoughts/experience with that, I'd be open to hearing them.

Alternatively, I have a NAS online on my LAN 24/7... could I send the Ntopng data there instead?

keyser

@cyphonsqr said in A Guide to current NtopNG on pfSense 2.6/22.01 :-):

@keyser
Thanks for all that.

I wonder if I could use a cheap 64GB USB drive as the RAMDisk, and not need to worry about wearing out the onboard eMMC.
If you have any thoughts/experience with that, I'd be open to hearing them.

Alternatively, I have a NAS online on my LAN 24/7... could I send the Ntopng data there instead?

You definitely can, but it will require some manual adaptations to have a script mount the drive at bootup, and change the path where NtopNG stores data.

Just out of curiosity, why not just install a cheap SSD instead? Its not like they cost an arm and a leg :) I got my 512Gb SSD for less than a 100 dollars, and I could have gotten a 128Gb one for about 50 dollars. It needs not be a particular fast model, just one that comes with either a slightly above average write enduance, or capacity enough that the endurance is given because of the size.

keyser

Just a small update here. You can get a fairly current 5.2 build on your ARM based appliances as well by installing the latest port from the FreeBSD ports repository. It works equally beautiful as the fix above for AMD64 based boxes.
And this is far more helpful as the current NtopNG pfsense package actually installs a v4 community edition even though it's named v5.0.xxxxx

If anyone want further details then just post here, and I'll see if I can create a guide for aarch64 based appliances.

aduzsardi

@keyser that would be awesome , please add some info for arm based appliances as well
thank you

cyphonsqr

@keyser I like the idea.. but my pfSense box is an official NetGate 4860.. which I don't think can take any upgrades.
I stand corrected.. it can take an mSATA drive : https://docs.netgate.com/pfsense/en/latest/solutions/sg-4860/msata-installation.html

keyser

@cyphonsqr said in A Guide to current NtopNG on pfSense 2.6/22.01 :-):

@keyser I like the idea.. but my pfSense box is an official NetGate 4860.. which I don't think can take any upgrades.
I stand corrected.. it can take an mSATA drive : https://docs.netgate.com/pfsense/en/latest/solutions/sg-4860/msata-installation.html

Yea, and that’s exactly what I would do - get a >=256Gb mSata drive, it’s a very small price to both allow yourself log to log whatever you want, and prevent wearing your eMMC to death regardless of settings in NtopNG, pfBlocker and what not :-)

keyser

@aduzsardi said in A Guide to current NtopNG on pfSense 2.6/22.01 :-):

@keyser that would be awesome , please add some info for arm based appliances as well
thank you

I have now updated the guide (first post) so it contains both a AMD64 version and a ARM/aarch64 version :-)

Please confirm if it works as expected. I wrote it down after completing my own device :-)

netblues

@keyser I'm sorry to report that even if this works, it has serious issues when/if upgrades come.

Various important things will never get updated, so one has to reinstall from scratch.

I suspect the issue is that pkg prefers to fetch things from general bsd repos and not pf, thus producing unexpected results.

Certainly not worth the effort/ uncertainty it produces in the long run

keyser

@netblues said in A Guide to current NtopNG on pfSense 2.6/22.01 :-):

@keyser I'm sorry to report that even if this works, it has serious issues when/if upgrades come.

Various important things will never get updated, so one has to reinstall from scratch.

I suspect the issue is that pkg prefers to fetch things from general bsd repos and not pf, thus producing unexpected results.

Certainly not worth the effort/ uncertainty it produces in the long run

It’s true that it will not work without a “redo” of the process after a pfsense version upgrade.
Thats because pfsense after a upgrade will install the pfsense NtopNG package from scratch.
But if you disable NtopNG before upgrading, you can immediately redo the above process after a pfsense version upgrade, and thus reinstall the latest NtopNG - before the old buggy version included in the package starts and maybe causes corruption to the stored timeseries data.

Personally this makes NtopNG usable and a Very valued Daily tool, so it’s worth the trouble for me :-) I guess you dont really have a need for NtopNG because the buggy version included in the current package is completely useless and impossible to “live” with.

Here’s hoping that 22.05/2.7 will include an updated NtopNG in the official package so this “hack” is not needed. In that case it might even upgrade “and just work” with the current NtopNG data and settings from your hacked install.

netblues

@keyser Well, yes and no
The problem isn't contained to ntopng per se
Pfsense can't update it self properly.
and you end up with a system that misses critical components, such as mpd , needed for pppoe, and if this is your only way to connect, then you are left with no means to manualy fix things.

I doubt that disabling ntopng will make the upgrade process work as expected again.

The safe way is to install from scratch and then restore configuration.

22.-5 rc is on ntopng v.5.2.220602 (FreeBSD 12.3)
and since we are approaching release, I doubt it will change.
Same package version (08.13_10) also appears at the 2.7 dev for now.