Мониторинг сетевого трафика на OPNSense с помощью плагина os-ntopng

Задача:
---------------------------------------------------------------Установить анализатор трафика ntopng на маршрутизаторе OPNSense
ntopng – это высокоскоростной анализатор трафика с WEB-интерфейсом в реальном времени и возможностью сортировать трафик по критериям.
Переходим в меню: “System > Firmware > Plugins” и выбираем плагин “os-ntopng“

Логи установки:
***GOT REQUEST TO INSTALL: os-ntopng*** Updating OPNsense repository catalogue... OPNsense repository is up to date. All repositories are up to date. The following 13 package(s) will be affected (of 0 checked): New packages to be INSTALLED: groff: 1.22.4_3 libmaxminddb: 1.4.3 libpaper: 1.1.24.4 libsodium: 1.0.18 libzmq4: 4.3.1_1 mysql56-client: 5.6.49 ndpi: 3.2.d20200721,1 norm: 1.5r6_1 ntopng: 4.0.d20200710,1 openpgm: 5.2.122_6 os-ntopng: 1.2 psutils: 1.17_5 uchardet: 0.0.7 Number of packages to be installed: 13 The process will require 111 MiB more space. 13 MiB to be downloaded. [1/13] Fetching os-ntopng-1.2.txz: . done [2/13] Fetching ntopng-4.0.d20200710,1.txz: .......... done [3/13] Fetching libsodium-1.0.18.txz: .......... done [4/13] Fetching ndpi-3.2.d20200721,1.txz: .......... done [5/13] Fetching libzmq4-4.3.1_1.txz: .......... done [6/13] Fetching openpgm-5.2.122_6.txz: .......... done [7/13] Fetching norm-1.5r6_1.txz: .......... done [8/13] Fetching libmaxminddb-1.4.3.txz: ..... done [9/13] Fetching mysql56-client-5.6.49.txz: .......... done [10/13] Fetching groff-1.22.4_3.txz: .......... done [11/13] Fetching uchardet-0.0.7.txz: .......... done [12/13] Fetching psutils-1.17_5.txz: .......... done [13/13] Fetching libpaper-1.1.24.4.txz: ... done Checking integrity... done (0 conflicting) [1/13] Installing libpaper-1.1.24.4... [1/13] Extracting libpaper-1.1.24.4: .......... done [2/13] Installing uchardet-0.0.7... [2/13] Extracting uchardet-0.0.7: .......... done [3/13] Installing psutils-1.17_5... [3/13] Extracting psutils-1.17_5: .......... done [4/13] Installing openpgm-5.2.122_6... [4/13] Extracting openpgm-5.2.122_6: .......... done [5/13] Installing norm-1.5r6_1... [5/13] Extracting norm-1.5r6_1: .... done [6/13] Installing groff-1.22.4_3... [6/13] Extracting groff-1.22.4_3: .......... done [7/13] Installing libsodium-1.0.18... [7/13] Extracting libsodium-1.0.18: .......... done [8/13] Installing ndpi-3.2.d20200721,1... [8/13] Extracting ndpi-3.2.d20200721,1: .......... done [9/13] Installing libzmq4-4.3.1_1... [9/13] Extracting libzmq4-4.3.1_1: .......... done [10/13] Installing libmaxminddb-1.4.3... [10/13] Extracting libmaxminddb-1.4.3: .......... done [11/13] Installing mysql56-client-5.6.49... [11/13] Extracting mysql56-client-5.6.49: .......... done [12/13] Installing ntopng-4.0.d20200710,1... ===> Creating groups. Creating group 'ntopng' with gid '288'. ===> Creating users Creating user 'ntopng' with uid '288'. [12/13] Extracting ntopng-4.0.d20200710,1: .......... done [13/13] Installing os-ntopng-1.2... [13/13] Extracting os-ntopng-1.2: .......... done Stopping configd...done Starting configd. Migrated OPNsense\Ntopng\General from 0.0.0 to 0.0.1 Reloading plugin configuration Configuring system logging...done. Reloading template OPNsense/Ntopng: OK ===== Message from openpgm-5.2.122_6: -- ===> NOTICE: The openpgm port currently does not have a maintainer. As a result, it is more likely to have unresolved issues, not be up-to-date, or even be removed in the future. To volunteer to maintain this port, please create an issue at: https://bugs.freebsd.org/bugzilla More information about port maintainership is available at: https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port ===== Message from groff-1.22.4_3: -- In order to be able to use the html driver, you need to install the following packages: - ghostscript - netpbm ===== Message from mysql56-client-5.6.49: -- Please be aware the database client is vulnerable to CVE-2015-3152 - SSL Downgrade aka "BACKRONYM". You may find more information at the following URL: http://www.vuxml.org/freebsd/36bd352d-299b-11e5-86ff-14dae9d210b8.html Although this database client is not listed as "affected", it is vulnerable and will not be receiving a patch. Please take note of this when deploying this software. ===== Message from ntopng-4.0.d20200710,1: -- ntopng runs a web interface service by default, it is suggested to protect such network accessible services with packet filters or TCP wrappers. ntopng requires to connect to a redis server to work. Please install redis server from databases/redis or use -r option via ntopng_flags to specify a remote one. ntopng supports IP geolocation, to enable this you should use the ntopng-geoip2update.sh script to update the maxminddb geolocation data to the latest version. To pass a configuration file to ntopng, which overrides any command line arguments, add something like the following to rc.conf: ntopng_flags="/path/to/file.conf" Checking integrity... done (0 conflicting) Nothing to do. ***DONE***
Далее: Services > Ntopng. Ошибка свидетельствует о отсутствии сервиса Redis
No Redis plugin found, please install via System > Firmware > Plugins and enable the service.

Устанавливаем Redis

Логи установки
***GOT REQUEST TO INSTALL: os-redis*** Updating OPNsense repository catalogue... OPNsense repository is up to date. All repositories are up to date. The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: os-redis: 1.1 redis: 4.0.14_1 Number of packages to be installed: 2 The process will require 5 MiB more space. 522 KiB to be downloaded. [1/2] Fetching os-redis-1.1.txz: ... done [2/2] Fetching redis-4.0.14_1.txz: .......... done Checking integrity... done (0 conflicting) [1/2] Installing redis-4.0.14_1... ===> Creating groups. Creating group 'redis' with gid '535'. ===> Creating users Creating user 'redis' with uid '535'. [1/2] Extracting redis-4.0.14_1: ......... done [2/2] Installing os-redis-1.1... [2/2] Extracting os-redis-1.1: .......... done Stopping configd...done Starting configd. Keep version OPNsense\Redis\Redis (0.0.0) Reloading plugin configuration Configuring system logging...done. Reloading template OPNsense/Redis: OK ===== Message from redis-4.0.14_1: -- To setup "redis" you need to edit the configuration file: /usr/local/etc/redis.conf To run redis from startup, add redis_enable="YES" in your /etc/rc.conf. Checking integrity... done (0 conflicting) Nothing to do. ***DONE***
Запускаем Redis

Теперь Ntopng запустится без каких либо проблем. Настройте параметры:
Настройте следующие параметры:
- Enable ntopng – Включить плагин
- HTTP Port – укажите номер порта WEB интерфейса ntopng
- HTTPS Port – укажите номер порта WEB интерфейса ntopng в режиме https
- Certificate – выберите SSL сертификат, который будет использоваться для https
- DNS mode – выберите один из режимов преобразования IP. Режимы пока не тестировал, оставил отключённым.

Проверяем работу ntopng из браузера.
- https://IP_Адресс_OPNSense:3003/
- http://IP_Адресс_OPNSense:3000/
На обоих портах ошибка соединения
Время ожидания соединения истекло

Ntopng не добавляет автоматически правила для файрфола. При работе с Firewall, советую привыкнуть к алиасам и добавлять правила только с ними. Переходим: Firewall > Aliases и наживаем “+”

Если вы планируете внешний доступ или работаете в агрессивной сети, то стоит рассматривать только HTTPS. В моём случае доступ будет только из подконтрольной мне локальной сети.

Добавляю правило для локального интерфейса: Firewall > Rules > LAN.

Настраиваем согласно картинок



Сохраняем правило Firewall и проверяем работу браузером. Логин и пароль по умолчанию:
username | admin |
password | admin |
После первой авторизации в системе, необходимо изменить пароль пользователя admin.

Наслаждаемся работой 🙂

Спасибо, мужик