As the release of ntopng 2.0 is around the corner (we are fixing the last bugs, polishing the GUI and writing some documentation), we want to show how to turn a cheap device such as the Ubiquity EdgeRouter into a traffic monitor and layer-7 policy enforcer as depicted below.
NOTE: if you bridge traffic using ntopng, please make sure you do not create loops. A typical mistake is to connect eth1 and eth2 to a switch: don’t do that as otherwise a loop will be created.
Step 1: Get Your Router
Buy an Ubiquity EdgeRouter. We use the EdgeRouter Lite model (others will work too) that is cheap, and it has three Gigabit ports.
Step 2: Setup the Router
The first time you play with the router you should configure the package repositories so you can use the EdgeRouter as a embedded PC and for instance install the basic packages for compiling ntopng onto the router (in case you want to develop on it). The steps are listed below
# configure [edit] root@ubnt# edit system package [edit system package] root@ubnt# set repository squeeze components 'main contrib non-free' [edit system package] root@ubnt# set repository squeeze distribution squeeze [edit system package] root@ubnt# set repository squeeze url http://http.us.debian.org/debian [edit system package] root@ubnt# [edit system package] root@ubnt# set repository squeeze-security components main [edit system package] root@ubnt# set repository squeeze-security distribution squeeze/updates [edit system package] root@ubnt# set repository squeeze-security url http://security.debian.org [edit system package] root@ubnt# [edit system package] root@ubnt# top [edit] root@ubnt# exit Cannot exit: configuration modified. Use 'exit discard' to discard the changes and exit. [edit] root@ubnt# commit [ system package repository squeeze ] Adding new entry to /etc/apt/sources.list... [ system package repository squeeze-security ] Adding new entry to /etc/apt/sources.list... [edit] root@ubnt# exit
If you want to compile ntopng you need to install the packages below (needed also at runtime if you install the ntopng binary package).
root@ubnt# apt-get install libpcap-dev libtool rrdtool librrd-dev autoconf automake autogen redis-server wget libsqlite3-dev libgeoip-dev libcurl4-openssl-dev
Step 3: Install ntopng
If you do not want to compile ntopng yourself, you can install redis-server (prerequisite for ntopng) and ntopng/ntopng-data using the packages available at the ntop packages repository. Once you have downloaded all the packages you can do:
root@ubnt# dpkg -i redis-server_2.4.15-1~bpo60+2_mips.deb root@ubnt# dpkg -i ntopng_1.99.150322-9208_mips.deb root@ubnt# dpkg -i ntopng-data_1.99.150322-9208_all.deb
Step 4: Start ntopng
If you want to use ntopng for monitoring traffic flowing on eth1, you can start it as “ntopng -i eth1“. Instead if you want to use ntopng to bridge eth1 and eth2 interfaces, you need to start it as “ntopng -i bridge:eth1,eth2″. Remember to start redis-server prior to start ntopng. If you want to make this configuration persistent you can create a file named /etc/ntopng/ntopng.conf so that you can start ntopng as a service. It is now time to connect via HTTP to http://my_ubiquity_router:3000 and enjoy ntopng.
Finally, make sure you configure ntopng to avoid using all the (little) disk space available on the device. So you should consider disabling RRD generation for hosts for instance, or refrain from dumping flows on disk (better to send them to a remote ElasticSearch instance).