Using ntopng to Implement a WiFi Access Point with Layer 7 Traffic Enforcement

Posted · Add Comment

 

This post will teach you how to create a cheap WiFi access point able to enforce layer-7 application protocols. In order to do this you can use a cheap RaspberryPi or BeagleBoard with a USB WiFi stick, or use a x86 PC.

 

beagleboard

The USB stick we use is the following

# lsusb
Bus 002 Device 003: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter

and once plugged onto a USB port it is immediately recognised by Linux (in this post we use Ubuntu Linux but other distro will work as well). As described in this article, you just need to edit /etc/network/interfaces and add something like

allow-hotplug wlan0
iface wlan0 inet static
address 192.168.100.1
netmask 255.255.255.0

as well create your /etc/hostapd/hostapd.conf configuration file similar to ours

# cat /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=ntop
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=ntop_password
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Done this we’re ready to start ntopng. Before doing that we need to
# ethtool -K wlan0 gro off gso of
# ethtool -K eth0 gro off gso off tso off

that prevents the network adapter to return to user-space packets large than the MTU (this is a problem because ntopng acts as a bridge and this it cannot transmit packets when they are larger than the MTU). It is now time to start ntopng that will act as a bridge between the wired and the wireless interface:

ntopng -i bridge:eth0,wlan0

Now the interfaces are bridged and wireless clients can connect to the Internet without restrictions.

 

Screen Shot 2015-08-03 at 22.48.56

 

We use a MacBook connected to the WiFi as a client and we want to prevent our notebook to do any Skype traffic. In order to do that we need to click on the host name, that displays host details.

 

Screen Shot 2015-08-03 at 22.49.13

Then click on the “Modify Host Traffic Policy” that opens a new page where the protocol to drop can be specified for this host.

 

Screen Shot 2015-08-03 at 22.49.34In the left panel, type Skype, then click on the right arrow to move the protocol under the black listed protocols list. In order to activate the configuration you need to click on “Set Protocol Policy and Shaper”.

 

Screen Shot 2015-08-03 at 22.50.40

 

As soon as Skype is started, you will see Skype flows being identified by ntopng with a strikethrough font to highlight that the traffic is blocked. You can verify this because the Skype client on the notebook is unable to login onto the Skype network and thus calls and messages are disabled, while all the other protocols work as usual. This is just the beginning as you can add traffic shaping and much more. At any time you can check how much traffic has been filtered by ntopng by looking the the interface statistics under the ntop’s Interfaces menu.

 

Screen Shot 2015-08-03 at 22.51.04

Now you know how to use ntopng to enforce network traffic policies. Using the flexible configuration GUI, you can set default policies on your network (for instance block FaceBook for everyone) and add exceptions (don’t block FaceBook for PC x,y,z). You can do all the configurations using the ntopng web GUI without using any command line tool. Just a couple of reminders:

  • You can use ntopng as bridge with two (as just described) or three network interfaces. The only difference is that in two network interfaces mode, the WiFi client is unable to talk with the IP address of the wired interface (i.e. if you want to speak with the ntopng host, your wireless clients must contact the IP of the WiFi interface).
  • Two network interface bridging is available only on ntopng packages build on August 3rd 2015 or later.
  • ntopng bridging is available only in the pro version of ntopng, so make sure you have a license or that the demo mode is not yet expired.

Enjoy !