This post will teach you how to create a cheap WiFi access point able to enforce layer-7 application protocols. In order to do this you can use a cheap RaspberryPi or BeagleBoard with a USB WiFi stick, or use a x86 PC.
The USB stick we use is the following
Bus 002 Device 003: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
and once plugged onto a USB port it is immediately recognised by Linux (in this post we use Ubuntu Linux but other distro will work as well). As described in this article, you just need to edit /etc/network/interfaces and add something like
iface wlan0 inet static
as well create your /etc/hostapd/hostapd.conf configuration file similar to ours
# cat /etc/hostapd/hostapd.conf
Done this we’re ready to start ntopng. Before doing that we need to
# ethtool -K wlan0 gro off gso of
# ethtool -K eth0 gro off gso off tso off
that prevents the network adapter to return to user-space packets large than the MTU (this is a problem because ntopng acts as a bridge and this it cannot transmit packets when they are larger than the MTU). It is now time to start ntopng that will act as a bridge between the wired and the wireless interface:
ntopng -i bridge:eth0,wlan0
Now the interfaces are bridged and wireless clients can connect to the Internet without restrictions.
We use a MacBook connected to the WiFi as a client and we want to prevent our notebook to do any Skype traffic. In order to do that we need to click on the host name, that displays host details.
Then click on the “Modify Host Traffic Policy” that opens a new page where the protocol to drop can be specified for this host.
In the left panel, type Skype, then click on the right arrow to move the protocol under the black listed protocols list. In order to activate the configuration you need to click on “Set Protocol Policy and Shaper”.
As soon as Skype is started, you will see Skype flows being identified by ntopng with a strikethrough font to highlight that the traffic is blocked. You can verify this because the Skype client on the notebook is unable to login onto the Skype network and thus calls and messages are disabled, while all the other protocols work as usual. This is just the beginning as you can add traffic shaping and much more. At any time you can check how much traffic has been filtered by ntopng by looking the the interface statistics under the ntop’s Interfaces menu.
Now you know how to use ntopng to enforce network traffic policies. Using the flexible configuration GUI, you can set default policies on your network (for instance block FaceBook for everyone) and add exceptions (don’t block FaceBook for PC x,y,z). You can do all the configurations using the ntopng web GUI without using any command line tool. Just a couple of reminders:
- You can use ntopng as bridge with two (as just described) or three network interfaces. The only difference is that in two network interfaces mode, the WiFi client is unable to talk with the IP address of the wired interface (i.e. if you want to speak with the ntopng host, your wireless clients must contact the IP of the WiFi interface).
- Two network interface bridging is available only on ntopng packages build on August 3rd 2015 or later.
- ntopng bridging is available only in the pro version of ntopng, so make sure you have a license or that the demo mode is not yet expired.