Monitor traffic between devices and external IP Addresses? Maybe even banning external IP Addresses?

Ever since getting PiHole and pfSense running on my network, I’ve grown ever increasingly curious as to what the devices on my network are doing.

PiHole only does so much; it can’t see anything that isn’t DNS traffic, and it doesn’t see when a client communicates directly with an IP without contacting the PiHole DNS server.

pfSense (AFAIK) is quite limited in network traffic; all it does is give rough traffic analysis graphs of the LAN and WAN, without mentioning which internal IP’s are sending/receiving data with which external IP’s.

Is there any piece of software that meets that middle ground for me? That will tell me which LAN device is communicating with which WAN IP address? I’d imagine that software would have to be run somewhere between the pfSense box and the internal network, but I’m not sure.

Any help and suggestions welcome!

Edit: Also thought about using Suricata (as recommended by the L1Techs team), but it then again doesn’t do exactly what i’m looking for. However, I do plan on setting up Suricata in the future on my pfSense box.

While pfSense has its own limitations, you could stick a spare box with a dual-NIC and run a logging solution. Keep in mind using a dedicated box for banning external IPs will provide a false sense of security.

There are security gateways which do what you’re looking for in a spiffy low power/small footprint(about the size of a 8-port switch or as large as 1U), downside is certain vendors either offer it as standard(no monthly cost with limited log functions) or advanced analytics functions(log packets per connected device to a USB 3.0 storage device) are bundled as part of a monthly service. If you want custom filtering such as domains(ex: blocking toxic ad serving) it’ll be a good idea to splurge for a security gateway with hardware which can handle that extra load–if I recall 1-2 GB of RAM is fairly common. Can’t recommend any specific vendor as each company has their own pros/cons, I would say Dell’s SonicWall has gone down the toilet.

Well if you just want to see what IPs your LAN devices are communicating with you can enable logging on all your pass rules and then check the firewall log.

If you want more in depth analysis you can run a packet capture from pfsense (I think it’s under diagnostics) and then open the file with wireshark.

To do it real time you’d have to have a bridge device between the lan network and pfsense and run wireshark on that, or if you have a switch that supports port mirroring you can mirror the pfsense lan port with another computer and run wireshark on that.

Well if you just want to see a list of internal address to external address you could just look at the state table in pfsense

Also you could install the darkstat (I think it’s called) package on pfsense which will log traffic and display it in a human readable way (stuff like how much traffic to and from each ip, etc.)

1 Like

OP I send syslog (and Snort logs) to a splunk instance. But you do not need to invest into any of that, you can download the ntopng package, its pretty fricken neat.

But now that @Dexter_Kane mentions darkstat I gotta give that a shot.

Now if I could find a way to automate what a Splunk search deems a network scan to a firewall rule of the src_ip, that would be awesome- kind of like fail2ban for SSH.

This is essentially what snort or suricatta does

Wait what? I know they have definitions but there are settings where if X src_ip has Y amount of ports hit in Z amount of time, block?

There are rules for detecting port scans and other types of information gathering attacks. I don’t know exactly how the rules work but I imagine it’s something like that.

1 Like

This is what I’ve done. The only headache I see with “temp block” is not all users invest much in hardware with pfSense when starting out, lower-end hardware your mileage starts to vary and performance will take a drop. (most “home” pfSense builds I read about are on the Celeron N/J side, if someone is using a Pentium G or higher there is plenty of headroom for aggressive blocking)

All the responses answer my questions. This thread can be closed. Thank you all :slight_smile:

There used to be something called ip-audit …not sure I’d its still around…

Found it