How To Monitor Traffic Behind a Firewall (During and Post Pandemic)

Posted · Add Comment

Due to pandemic, many people are now working in a delocalised world: some work from home, others from the office. To make things even more complicated, in the past remote workers used to connect to the company network via a VPN. While this option is still possible, many resources are now available from the cloud thus making VPNs obsolete in some environments, in particular for mobile workforce that connects to the Internet by means of a cellular network.

In the past months, some people contact us to ask how they could:

  • Monitor the traffic in remote networks such as a small site or home office.
  • Continuously check the connection speed for every worker: namely perform periodic checks such as the active tests offered by ntopng (ping, continuous ping and speedtest) so that the company can check if the remote worker/site can profitably work having sufficient and permanent bandwidth available.
  • Be able to do all this while remote users might be behind a NAT (e.g. when at home) or a CGNAT (e.g. when using a mobile network connection).

The figure below shows you how you can achieve that.

As most of you now, in addition to popular tools such as nProbe and ntopng, we develop a decentralised peer-to-peer VPN named n2n that allows you to create your own network meshed topology simply installing a small software named edge (and part of the n2n toolkit) and leveraging on a supernode (still part of n2n) that allows remote edge’s to connect even if behind a network. While people can use their private supernode, ntop offers a public supernode available at in case you do not want to setup a supernode. Note that even in this latter case your data will be completely protected due to the end-to-end encryption provided by n2n. Using n2n you can in essence create a network overlay which crosses firewall and that allows you to reach remote network edges without paying attention to network constraints such as NAT. You can read more here about n2n configuration. Note that n2n nodes can speak directly if the NAT allows it, meaning that you might be able to do A->B directly while B->supernode->A

Once n2n is setup, you have standard network connectivity (ping, http etc.) and you can now monitor your network without setting up any VPN server. Now let’s make a simple monitoring example as in the above picture.

  • Start nProbe on each satellite node as follows:
    • nprobe -i eth0 –zmq tcp://192.168.X.1:1234 (where X is the network of the remote site)
  • Start ntopng at the central monitoring console as follows:
    • ntopng -i tcp:// -i tcp:// -i tcp:// -i “view:tcp://,tcp://,tcp://”

and this is the final result

Enjoy !