Level Zero Networking

VyOS for Home Use: Part 5 – Traffic Monitoring with ntopng

Recap In Parts 1-4, we created a feature rich home router using VyOS and AdGuard Home. In this article, we’re going to add the final building block to our home router by adding traffic monitoring using ntopng. What is ntopng ntopng is network monitoring that uses Deep Packet Inspection to identify traffic at the application…

R C
4–6 minutes
, , , , , , , , ,

Recap

In Parts 1-4, we created a feature rich home router using VyOS and AdGuard Home. In this article, we’re going to add the final building block to our home router by adding traffic monitoring using ntopng.

What is ntopng

ntopng is network monitoring that uses Deep Packet Inspection to identify traffic at the application layer. This means, not only does it know that you’re communicating with a specific IP and port, it also knows the nature of the traffic (e.g. YouTube, Facebook, Netflix, etc…).

Adding the ntopng container image

Just like with AdGuard, we’re going to install ntopng as a container, so we need to pull down the container image. We do that with the following Op Mode command.

add container image ntop/ntopng:stable


We can verify that we have the image with this Op Mode command.

admin@GK41:~$ show container image
REPOSITORY                     TAG         IMAGE ID      CREATED      SIZE
docker.io/adguard/adguardhome  latest      879554cce44b  10 days ago  74.8 MB
docker.io/ntop/ntopng          stable      86f51b36c748  2 weeks ago  1.61 GB


Next we need to create a few directories in the /config/containers/ directory like we did for AdGuard. “main” will store the general ntopng configuration, and “redis” will be used to store database data for ntopng.

sudo mkdir -p /config/containers/ntopng/main
sudo mkdir -p /config/containers/ntopng/redis


Once all of that is done, we can configure the container. Like AdGuard, we will use host networking for this container.

set container name ntopng allow-host-networks


We need to pass some additional arguments to the ntopng.

set container name ntopng arguments '--community -i eth1 -i eth2 -d /var/lib/ntopng -r 127.0.0.1:6379@0 -w 10.0.0.1:3001'


These require some additional explanation.

  • –community: ntop offers a free community license for ntopng. This argument tells the container to use the community license
  • -i eth1 -i eth2: These are interfaces that ntopng will monitor. This means for us, that we will be monitoring both our LAN and WAN interfaces.
  • -d /var/lib/ntopng: This is telling ntopng where the data will be stored. This is separate from the volume mapping. The volume mapping will map this directory to a host directory, but this ‘-d’ command tells ntopng specifically the data directory.
  • -r 127.0.0.1:6379@0: ntopng uses redis for a database structure. This command tells it to look for redis on 127.0.0.1/6379 (ip/port). The “@0” at the end is the database ID
  • -w 10.0.0.1:3001: This is the listening port for the web console.


We need to allow the container to create raw network sockets.

set container name ntopng capability net-raw


We need to tell the container to use the proper image.

set container name ntopng image 'ntop/ntopng:stable'


And finally, we need to map our volumes between the container and host.

set container name ntopng volume NTOP destination '/var/lib/ntopng'
set container name ntopng volume NTOP source '/config/containers/ntopng/main'
set container name ntopng volume redis destination '/var/lib/redis'
set container name ntopng volume redis source '/config/containers/ntopng/redis'

Allowing redis traffic through the input firewall chain

We block all traffic to the input firewall chain unless it’s return traffic that we orignated, or the traffic is coming in on “eth2” (our LAN interface). We need to allow input traffic from the “lo” interface.

set firewall ipv4 input filter rule 1010 action 'accept'
set firewall ipv4 input filter rule 1010 inbound-interface name 'lo'


We can look at the full config, and if everything looks good, we can commit it.

admin@GK41# compare

set container name ntopng allow-host-networks
set container name ntopng arguments '--community -i eth1 -i eth2 -d /var/lib/ntopng -r 127.0.0.1:6379@0 -w 10.0.0.1:3001'
set container name ntopng capability 'net-raw'
set container name ntopng image 'ntop/ntopng:stable'
set container name ntopng volume NTOP destination '/var/lib/ntopng'
set container name ntopng volume NTOP source '/config/containers/ntopng/main'
set container name ntopng volume redis destination '/var/lib/redis'
set container name ntopng volume redis source '/config/containers/ntopng/redis'
set firewall ipv4 input filter rule 1010 action 'accept'
set firewall ipv4 input filter rule 1010 inbound-interface name 'lo'

commit

Allowing writing of redis database

We need to allow the container to write the database file to the disk. ntopng will work without this, but settings will not get saved, so you’ll have to change the password every time the container restarts.


We can modify the permissions from within the container. To connect to the container, run this from Op Mode.

admin@GK41# run connect container ntopng


From within the container, change the permissions for the “redis” directory.

chmod 777 /var/lib/redis


You can exit out of the container after typing that command. You can verify that it worked by looking at the contents of the /config/containers/ntopng/redis folder.

admin@GK41# sudo ls /config/containers/ntopng/redis/
dump.rdb

NOTE: This file is not constantly written to disk, so if it’s not there after this, just continue on with everything. It should get written eventually.

Verify the container is running

We can verify that the container is running with this Op Command.

admin@GK41# run show container
CONTAINER ID  IMAGE                                 COMMAND               CREATED         STATUS         PORTS       NAMES
f0469d822a6b  docker.io/adguard/adguardhome:latest  --no-check-update...  2 hours ago     Up 2 hours                 AdGuard
27dc2f0df285  docker.io/ntop/ntopng:stable          --community -i et...  11 minutes ago  Up 11 minutes              ntopng

Accessing ntopng

If the container is running just fine, you can access the ntopng dashboard from http://<IP on VyOS>:3001. I use http://10.0.0.1:3001 since I have a dummy interface with that IP. Notice that this is also the IP and port we used in in the ntopng arguments.


The default creds will be admin/admin


After entering the default creds, you will be prompted to create a new password for the admin account.


After you have created the new password, you’ll be dropped into the ntopng dashboard. From there, you’ll be able to see a summary of traffic in the dashboard. Or look the live flows under the Flows->Live page. I encourage you to play around in it and see everything it has to offer. You can find more information about the ntopng Web GUI here: https://www.ntop.org/guides/ntopng/web_gui/index.html


One more note, even with ntopng running, I can max at my 1Gbps internet on my $100 USD Mini PC.

Conclusion

There’s far too much on the dashboard to try to go over in this blog post, but this post will have told you how to get up and running with ntopng.


A friend of mine has been turning my blog posts into videos. A video can help demo some of what ntopng offers. Keep a lookout for that video on https://www.youtube.com/@level0networking

Leave a Reply

Trending

Discover more from Level Zero Networking

Subscribe now to keep reading and get access to the full archive.

Continue reading