vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-04-28 23:19:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
ntopng/doc/README.inline

203 lines
6.4 KiB
Text
Raw Blame History

Using ntopng Inline
-------------------
Traditionally ntopng has been used to passively monitor traffic. However
ntopng can be used inline to block/shape traffic according to various
criteria such as host and application protocol.
In README.netfilter you can read how to do this with netfilter that
is mostly used when using it on network routers. Instead you can use ntopng
on a totally passive way (transparent bridge) so that you can enforce
network policies without having to change IP address or any other
network setup such as the DNS address or the gateway IP address.
When used inline ntopng bridges the traffic of two network interfaces.
There are two possible setups for using ntopng inline on a transparent
fashion, when operating on an existing network.
Supposing to have this network
+------------------+ +-----------+
| Internet Gateway | <---> | Switch |
+------------------+ +-----------+
| |
V V
PC1 PC2
where we want to use ntopng to enforce Internet traffic policies.
+------------------+ +-----------+ +-----------+
| Internet Gateway | <---> | ntopng | <---> | Switch |
+------------------+ +-----------+ +-----------+
| |
V V
PC1 PC2
You can use a box with 1+1 interfaces (one for reaching the box and
one for connecting to the Internet) or with 2+1 (two for connecting the
switch to the Internet and one for reaching the box).
Netfilter (Linux-only) traffic policy is available in all ntopng
versions, whereas interface bridging needs at least the Pro version.
Packages are available at http://packages.ntop.org/
Using ntopng bridging in 2+1 mode
----------------------------------
In this setup the management interface is used to access the box, and
two additional interfaces are use for bridging traffic.
0. Suppose you want to bridge zc:eth3 with zc:eth4. If the
interface names are different please adapt tools/load_hugepages.sh
In case you are using non-ZC interfaces there is no need to
run load_hugepages.sh
1. We suppose that you have PF_RING compiled with this layout
- PF_RING
- ntopng
if not modify tools/load_hugepages.sh
3. Make sure you have executed once ../tools/load_hugepages.sh
3. Start ntopng as follows
ntopng -i "bridge:zc:eth3,zc:eth4"
Using ntopng bridging in 1+1 mode
----------------------------------
You can implement this setup very easily using for instance a Raspberry PI3
that is equipped with a ethernet interface (eth0) that connect the box
to the Internet, and a WiFi interface (wlan0) to which network clients
can attach.
In this setup you need to configure the interfaces as described below.
Using ntopng in routing mode
----------------------------
Supposing to have this network configuration
eth0 +-----------+ eth1
Internet <----> | ntopng | <----> Local network
+-----------+
- eth0 connects to the Internet
- eth1 connects your clients
- you want the ntopng box to NAT your clients and assign them an IP
address with DHCP. The private network used for NAT
will be 172.16.0.0/24 , and your ntopng box will act
as gateway at IP 172.16.0.1 (just as example).
PRIOR TO START NTOPNG, you need to do once:
1. Setup a tap interface on your box
# tunctl -t tap0
# ifconfig tap0 172.16.0.1 netmask 255.255.255.0
# ifconfig tap0 up
2. Setup NAT
# iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
# iptables --append FORWARD --in-interface tap0 -j ACCEPT
3. Setup your DHCP server serving addresses on tap0 from
network 172.16.0.0/24 (of course except 172.16.0.1 that is
used by ntopng)
Then you can start ntopng as:
# ntopng -i bridge:tap0,eth1 -m "172.16.0.0/24" -w 80,3000
* Debian-based distributions
----------------------------
For Debian-based distributions such as Raspbian the configuration is as follows.
$ cat /etc/network/interfaces
...
auto eth0
iface eth0 inet manual
up ifconfig eth0 up
# https://help.ubuntu.com/community/Network%20Bridge%20with%20a%20Tap!
auto br0
iface br0 inet dhcp
bridge_ports eth0
bridge stp off
bridge_maxwait 0
bridge_fd 0
allow-hotplug wlan0
iface wlan0 inet manual
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
...
Done this and installed ntopng from the ntop repository you can start
ntopng as follows:
# ntopng -i bridge:br0,wlan0 -w 80,3000
Note for Raspbian linux: The new dhcp client ignores what the
interfaces files does and doing its own things. This may cause
innterfaces configured with 'inet manual' to get an ip address via
dhcp. To prevent this behavior, /etc/dhcpcd.conf should be edited to
to tell the DHCP daemon to completely ignore the physical interfaces:
denyinterfaces eth0
denyinterfaces wlan0
Ref: https://www.raspberrypi.org/forums/viewtopic.php?p=798866#p798866
* Centos 7
----------
In order to setup the linux bridge on Centos 7, it is required to edit
files under /etc/sysconfig/network-scripts/
For example, assuming we want to create a linux bridge br0 attached
to physical NIC eno1, we can configure NIC configuration files as
follows
[mainardi@develv5 ~]$ cat /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
BOOTPROTO=dhcp
STP=no
NAME=br0
ONBOOT=yes
[mainardi@develv5 ~]$ cat /etc/sysconfig/network-scripts/ifcfg-eno1
DEVICE=eno1
HWADDR=
ONBOOT=yes
NETMASK=
GATEWAY=
TYPE=Ethernet
# Bridge
BRIDGE=br0
Having set up network interfaces as above, and assuming the interface
that faces clients is enp7s0f1, then ntopng can be started
as follows:
# ntopng -i bridge:br0,enp7s0f1 -w 80,3000
It may be necessary to manually bring interface enp7s0f1 up with
# ifconfing enp7s0f1 up
Enabling Captive Portal
-----------------------
Captive portal is used to authenticate legitimate users and bind them to the
correct host pool. In order to enable this feature
- you need the enterprise version of ntopng
- the captive portal option must be enabled in the ntopng preferences menu
- ntopng must be active on port 80 (and port a different port) for authenticating users (-w 80,3000)
- you can optionally start ntopng also in SSL (port 443) but you must have port 80 active
When the captive portal is used, port 80 is used only for that purpose (i.e. it cannot be
used to connect to the ntop GUI), whereas ntopng users can connect to port 3000. Please
refer to README.captive_portal for more information about this topic.
Reference in a new issue View git blame Copy permalink