Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: xpking on September 15, 2023, 02:51:35 AM

Title: How to get traffic + Geo location report
Post by: xpking on September 15, 2023, 02:51:35 AM
Dear all,

I am new to OPNsense.
I would like to have source IP, source port, dest resolved hostname, dest port, Geo location, time.
Is there any function or plugin in OPNsense can provide such report?
I tried Netflow and ntopng seems not able to do. Or maybe I don't know how to setup?

Please advise. Thank you.

Regards,
SK
Title: Re: How to get traffic + Geo location report
Post by: cookiemonster on September 15, 2023, 12:16:04 PM
Not an available "report" from OPN. You'll need to coble it together.
Title: Re: How to get traffic + Geo location report
Post by: xpking on September 15, 2023, 04:52:05 PM
Thank you for your reply.
If I only need source IP, source port, dest resolved hostname, dest port, time, (no need Geo location), then I should be able to generate from OPNsense as this is a firewall?
Title: Re: How to get traffic + Geo location report
Post by: cookiemonster on September 15, 2023, 05:51:34 PM
Yes to a point, for clarity:
- source ip, source port, dest ip, dest port, time. This is indeed firewall bread and butter and is logged to log files according to user's logging preferred settings.
- dest hostname requires name resolution for external, hostnames records if internal. Translations are not logged.
- There is no "reporting" available out of the box that will output those as a preformatted output on a specified schedule. The log file values are what you would see in the firewall log but yes, that data is logged to file.
Title: Re: How to get traffic + Geo location report
Post by: xpking on September 17, 2023, 03:41:06 AM
Thank you.
If I just need like keeping past 90 days records to review, what is the best option?
I think firewall log don't have many filters and difficult to read.
Title: Re: How to get traffic + Geo location report
Post by: cookiemonster on September 24, 2023, 10:56:45 PM
System > Settings > Logging. There in "Preserve logs (Days)" you can override the 30 days default.
Watch for disk usage, ensure you have enough space.
There you can also send the logs to a log server if you wanted/have one setup. Offloading the data.
You might also want to check out ntop-ng. OPN has a plugin for it.
Title: Re: How to get traffic + Geo location report
Post by: CJ on September 25, 2023, 04:29:17 PM
I believe there are some dashboards you can find online, probably built with something like grafana, that you can use with an external logging server in order to provide the capability you want with a nice view.

I forget where I saw them as I haven't had a chance to set one up myself yet.
Title: Re: How to get traffic + Geo location report
Post by: cookiemonster on September 25, 2023, 05:35:23 PM
Only grafana dashboards I've seen are for pf counters and stats but I'd like to see if you can remember what you saw.
Title: Re: How to get traffic + Geo location report
Post by: CJ on September 26, 2023, 03:49:19 PM
Quote from: cookiemonster on September 25, 2023, 05:35:23 PM
Only grafana dashboards I've seen are for pf counters and stats but I'd like to see if you can remember what you saw.

I think this is it. https://github.com/bsmithio/OPNsense-Dashboard

I make no claims to its quality as I've done nothing but look at the picture.  But one of the panels shows a geo representation of blocked events.

(https://raw.githubusercontent.com/bsmithio/OPNsense-Dashboard/master/Grafana-OPNsense.png)
Title: Re: How to get traffic + Geo location report
Post by: cookiemonster on September 26, 2023, 11:27:50 PM
nice, thanks.
Text only | Text with Images