"
Graphing of network stuff on OPNSense? Wasn't ntopng born to do exactly that? :)
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#46
General Discussion / Re: Graph to see the uptime of my internet connection
January 14, 2021, 03:31:58 AM #47
General Discussion / Re: How to block a website / URL [SOLVED]
January 14, 2021, 03:25:24 AM
Large websites like BBC.com use more than just one IP address, so the advice above will work only when DNS resolution of bbc.com will return that specific IP address you put into the rule. You are up to a game of whack-a-mole if you hope to block large global websites by their IP addresses...
See my other post related to Netflix how to approach blocking with Sensei or DNS.
See my other post related to Netflix how to approach blocking with Sensei or DNS.
#48
General Discussion / Re: How to bock this website with URL www.netflix.com
January 14, 2021, 03:18:20 AM
Let me suggest three options:
1. install Sensei plugin and enable block rule for Netflix (under Policies - App controls - Media streaming - Netflix)
2. block resolution of *.netflix.com on unbound DNS service (under Services - Unbound DNS - Overrides)
3. make firewall rules for all netflix IP addresses:
45.57.0.0/17,45.57.1.0/24,45.57.2.0/24,45.57.3.0/24,45.57.4.0/24,45.57.5.0/24,23.246.0.0/18,23.246.2.0/24,
23.246.3.0/24,23.246.6.0/24,23.246.7.0/24,45.57.11.0/24,45.57.14.0/24,45.57.15.0/24,45.57.16.0/24,
45.57.17.0/24,45.57.18.0/24,45.57.19.0/24,45.57.20.0/24,45.57.21.0/24,45.57.22.0/24,45.57.23.0/24,
45.57.36.0/24,45.57.37.0/24,45.57.42.0/24,45.57.44.0/24,45.57.45.0/24,45.57.48.0/24,45.57.49.0/24,
45.57.56.0/24,45.57.58.0/24,45.57.59.0/24,45.57.60.0/24,45.57.62.0/24,45.57.63.0/24,198.38.96.0/19,
198.38.96.0/24,198.38.97.0/24,198.38.98.0/24,198.38.99.0/24,198.45.48.0/20,198.45.48.0/24,
198.45.49.0/24,198.45.56.0/24,23.246.14.0/24,23.246.15.0/24,23.246.16.0/24,23.246.17.0/24,
23.246.20.0/24,23.246.22.0/24,23.246.23.0/24,23.246.24.0/24,23.246.25.0/24,23.246.26.0/24,
23.246.27.0/24,23.246.28.0/24,23.246.29.0/24,23.246.30.0/24,23.246.31.0/24,23.246.36.0/24,
23.246.42.0/24,23.246.46.0/24,23.246.47.0/24,23.246.48.0/24,23.246.49.0/24,23.246.50.0/24,
23.246.51.0/24,23.246.52.0/24,23.246.54.0/24,23.246.55.0/24,23.246.56.0/24,23.246.57.0/24,
23.246.58.0/24,37.77.184.0/21,37.77.186.0/24,37.77.187.0/24,37.77.188.0/24,37.77.189.0/24,
69.53.225.0/24,108.175.32.0/20,192.173.64.0/18,198.38.100.0/24,198.38.101.0/24,198.38.108.0/24,
198.38.109.0/24,198.38.110.0/24,198.38.111.0/24,198.38.112.0/24,198.38.113.0/24,198.38.114.0/24,
198.38.115.0/24,198.38.116.0/24,198.38.117.0/24,198.38.118.0/24,198.38.119.0/24,198.38.120.0/24,
198.38.121.0/24,198.38.124.0/24,198.38.125.0/24,54.144.0.0-54.159.255.255,34.192.0.0-34.255.255.255,52.32.0.0-52.63.255.255,23.32.0.0-23.67.255.255,52.84.0.0-52.95.255.255,
54.64.0.0-54.71.255.255,52.84.0.0-52.95.255.255,54.184.0.0-54.187.255.255,
35.160.0.0-35.167.255.255,52.0.0.0-52.31.255.255,35.160.0.0-35.167.255.255,
54.200.0.0-54.203.255.255
1. install Sensei plugin and enable block rule for Netflix (under Policies - App controls - Media streaming - Netflix)
2. block resolution of *.netflix.com on unbound DNS service (under Services - Unbound DNS - Overrides)
3. make firewall rules for all netflix IP addresses:
45.57.0.0/17,45.57.1.0/24,45.57.2.0/24,45.57.3.0/24,45.57.4.0/24,45.57.5.0/24,23.246.0.0/18,23.246.2.0/24,
23.246.3.0/24,23.246.6.0/24,23.246.7.0/24,45.57.11.0/24,45.57.14.0/24,45.57.15.0/24,45.57.16.0/24,
45.57.17.0/24,45.57.18.0/24,45.57.19.0/24,45.57.20.0/24,45.57.21.0/24,45.57.22.0/24,45.57.23.0/24,
45.57.36.0/24,45.57.37.0/24,45.57.42.0/24,45.57.44.0/24,45.57.45.0/24,45.57.48.0/24,45.57.49.0/24,
45.57.56.0/24,45.57.58.0/24,45.57.59.0/24,45.57.60.0/24,45.57.62.0/24,45.57.63.0/24,198.38.96.0/19,
198.38.96.0/24,198.38.97.0/24,198.38.98.0/24,198.38.99.0/24,198.45.48.0/20,198.45.48.0/24,
198.45.49.0/24,198.45.56.0/24,23.246.14.0/24,23.246.15.0/24,23.246.16.0/24,23.246.17.0/24,
23.246.20.0/24,23.246.22.0/24,23.246.23.0/24,23.246.24.0/24,23.246.25.0/24,23.246.26.0/24,
23.246.27.0/24,23.246.28.0/24,23.246.29.0/24,23.246.30.0/24,23.246.31.0/24,23.246.36.0/24,
23.246.42.0/24,23.246.46.0/24,23.246.47.0/24,23.246.48.0/24,23.246.49.0/24,23.246.50.0/24,
23.246.51.0/24,23.246.52.0/24,23.246.54.0/24,23.246.55.0/24,23.246.56.0/24,23.246.57.0/24,
23.246.58.0/24,37.77.184.0/21,37.77.186.0/24,37.77.187.0/24,37.77.188.0/24,37.77.189.0/24,
69.53.225.0/24,108.175.32.0/20,192.173.64.0/18,198.38.100.0/24,198.38.101.0/24,198.38.108.0/24,
198.38.109.0/24,198.38.110.0/24,198.38.111.0/24,198.38.112.0/24,198.38.113.0/24,198.38.114.0/24,
198.38.115.0/24,198.38.116.0/24,198.38.117.0/24,198.38.118.0/24,198.38.119.0/24,198.38.120.0/24,
198.38.121.0/24,198.38.124.0/24,198.38.125.0/24,54.144.0.0-54.159.255.255,34.192.0.0-34.255.255.255,52.32.0.0-52.63.255.255,23.32.0.0-23.67.255.255,52.84.0.0-52.95.255.255,
54.64.0.0-54.71.255.255,52.84.0.0-52.95.255.255,54.184.0.0-54.187.255.255,
35.160.0.0-35.167.255.255,52.0.0.0-52.31.255.255,35.160.0.0-35.167.255.255,
54.200.0.0-54.203.255.255
#49
General Discussion / Re: [Newbie?] WAN with virtual network passed through to LAN
January 14, 2021, 03:10:09 AM
help us with a picture; what is your chain of traffic? WAN - Net1 - Virtual - Net2? Is Net2 connected to the same router as WAN and Net1? A picture with networks, devices, and connections would help tons.
#50
General Discussion / Re: How to allow ping on WAN ?
January 14, 2021, 03:06:10 AM
Depending on your needs, but it is typically better to limit ICMP by source address (who can ping you) then by type of ICMP (what control messages you allow).
By allowing Echo requests only but not other ICMP types, you might get some unpredictable results, especially if you start adding tunnels (IPv6 tunnel, VPN tunnel)...
So, relax your ICMP Type a bit - allow *all* ICMP types of traffic, but limit it to known/required IP sources.
By allowing Echo requests only but not other ICMP types, you might get some unpredictable results, especially if you start adding tunnels (IPv6 tunnel, VPN tunnel)...
So, relax your ICMP Type a bit - allow *all* ICMP types of traffic, but limit it to known/required IP sources.
#51
General Discussion / Re: Problem logging into ntopng
January 13, 2021, 12:00:44 AM
Executing redis-cli del user.admin.password typically does the trick - from https://www.ntop.org/guides/ntopng/faq.html#cannot-login-into-the-gui
#52
General Discussion / Re: Announce: new OPNsense community repository
January 12, 2021, 06:06:55 PM
I am voting to add a plugin for nprobe so we could forward the information to an external ntopng
#53
20.7 Legacy Series / Re: ntopng keeps stopping
January 12, 2021, 06:00:08 PM
did you try to upgrade to ntopng 4.3 from ntop repo? Same issue?
#54
General Discussion / Re: Announce: new OPNsense community repository
January 11, 2021, 07:56:03 AM
Perhaps we could differentiate stable and development packages? Unifi controller could have stable and development branch too...
#55
General Discussion / Re: Announce: new OPNsense community repository
January 10, 2021, 11:48:33 PM
@mimugmail: how about adding the latest ntopng 4.3 (from ntop.org) into the repo?
#56
General Discussion / Re: Problem installing the latest ntopng
January 08, 2021, 06:57:12 PM
I don't know if this was just my problem, but my ntopng 4.3 service on OPNSense was failing periodically because it didn't have write permissions on /var/db/ntopng directory structure. A (dirty) fix with chmod -R 777 * did the trick and made ntopng 4.3 stable on OPNSense.
#57
General Discussion / Re: Problem installing the latest ntopng
January 08, 2021, 03:28:03 PM
Nope, I just uninstalled and tried it fresh - ntopng 4.3 (from ntop repo) will not be prioritized over ntpong 4.0 (from OPNSense repo) even when priority is set below 11:
ntop: {
url: "https://packages.ntop.org/FreeBSD/${ABI}/latest",
priority : 5
enabled: true
}
ntop: {
url: "https://packages.ntop.org/FreeBSD/${ABI}/latest",
priority : 5
enabled: true
}
#58
General Discussion / Re: Problem installing the latest ntopng
January 08, 2021, 03:04:09 AM
ok, I figured it out how to force OPNSense to choose the latest ntopng repo after it is added to the repo list:
sudo pkg install -r ntop -f ntopng nprobe n2disk
Updating ntop repository catalogue...
ntop repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):
Installed packages to be REINSTALLED:
n2disk-3.7.210107 [ntop]
nprobe-9.3.210107 [ntop]
ntopng-4.3.210107 [ntop]
Number of packages to be reinstalled: 3
833 KiB to be downloaded.
Proceed with this action? [y/N]: y
[1/2] Fetching nprobe-9.3.210107.txz: 100% 667 KiB 170.8kB/s 00:04
[2/2] Fetching n2disk-3.7.210107.txz: 100% 166 KiB 170.1kB/s 00:01
Checking integrity... done (0 conflicting)
[1/3] Reinstalling ntopng-4.3.210107...
[1/3] Extracting ntopng-4.3.210107: 100%
[2/3] Reinstalling nprobe-9.3.210107...
[2/3] Extracting nprobe-9.3.210107: 100%
[3/3] Reinstalling n2disk-3.7.210107...
[3/3] Extracting n2disk-3.7.210107: 100%
sudo pkg install -r ntop -f ntopng nprobe n2disk
Updating ntop repository catalogue...
ntop repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):
Installed packages to be REINSTALLED:
n2disk-3.7.210107 [ntop]
nprobe-9.3.210107 [ntop]
ntopng-4.3.210107 [ntop]
Number of packages to be reinstalled: 3
833 KiB to be downloaded.
Proceed with this action? [y/N]: y
[1/2] Fetching nprobe-9.3.210107.txz: 100% 667 KiB 170.8kB/s 00:04
[2/2] Fetching n2disk-3.7.210107.txz: 100% 166 KiB 170.1kB/s 00:01
Checking integrity... done (0 conflicting)
[1/3] Reinstalling ntopng-4.3.210107...
[1/3] Extracting ntopng-4.3.210107: 100%
[2/3] Reinstalling nprobe-9.3.210107...
[2/3] Extracting nprobe-9.3.210107: 100%
[3/3] Reinstalling n2disk-3.7.210107...
[3/3] Extracting n2disk-3.7.210107: 100%
#59
General Discussion / Problem installing the latest ntopng
January 08, 2021, 01:00:09 AM
I followed the instructions on how to install ntopng 4.3:
https://packages.ntop.org/FreeBSD/
The problem is that even though I have a new repo added and visible to pkg manager, it still doesn't want to pull ntopng from ntop repo - it rather pulls it out from default OPNSense repo.
The new package is there:
> pkg search ntopng
ntopng-4.0.d20200917,1 Network monitoring tool with command line and web interfaces
os-ntopng-1.2 Traffic Analysis and Flow Collection
os-ntopng-devel-1.2 Traffic Analysis and Flow Collection
ntopng-4.3.210107 High speed network traffic monitor
But pkg manager prefers to pull the old one instead of the new one:
> pkg info
...
ntopng-4.0.d20200917,1 Network monitoring tool with command line and web interfaces
...
It doesn't matter how high the priority I set in ntop.conf - pkg update will still pull from OPNSense repo, not ntop repo...
https://packages.ntop.org/FreeBSD/
The problem is that even though I have a new repo added and visible to pkg manager, it still doesn't want to pull ntopng from ntop repo - it rather pulls it out from default OPNSense repo.
The new package is there:
> pkg search ntopng
ntopng-4.0.d20200917,1 Network monitoring tool with command line and web interfaces
os-ntopng-1.2 Traffic Analysis and Flow Collection
os-ntopng-devel-1.2 Traffic Analysis and Flow Collection
ntopng-4.3.210107 High speed network traffic monitor
But pkg manager prefers to pull the old one instead of the new one:
> pkg info
...
ntopng-4.0.d20200917,1 Network monitoring tool with command line and web interfaces
...
It doesn't matter how high the priority I set in ntop.conf - pkg update will still pull from OPNSense repo, not ntop repo...
#60
General Discussion / Re: Firewall NAT Port Forward Help
January 05, 2021, 05:23:54 AM
IMAP/S connections at large email providers are typically used with TLS option - they require a valid server certificate from a trusted certificate authority in order to establish TLS IMAP session.
Are you sure you have a valid cert installed on your 192.168.1.3 so IMAP/S can authenticate succesfully?
Are you sure you have a valid cert installed on your 192.168.1.3 so IMAP/S can authenticate succesfully?
