Slides for the March 2015 pfSense Hangout video

1. Bandwidth Monitoring
March 2015 Hangout
Jim Pingle

2. Project Notes
● pfSense 2.2.1 is out!
– Security and bug fixes
● pfSense University on-line training
– More classes being added
● New ADI hardware will begin shipping within
the next few weeks
● Hangout software change likely next month

3. About this Hangout
●
Covering Bandwidth Monitoring using built-in methods and add-on packages
● Per-IP and aggregate monitoring
●
RRD Graphs
●
SNMP
●
Traffic Graphs (Widget, Status > Traffic Graphs)
● pftop
●
bandwidthd
●
darkstat
●
iftop
● ntopng
●
vnstat2
●
softflowd / Netflow
●
Not covering proxy-based tracking such as lightsquid or sarg

4. General Notes
● Many packages only allow for monitoring a single interface
– LAN is typically the best to monitor for tracking local user
behavior since it will show the user IP addresses
– In a fully routed setup, either WAN or LAN interfaces may be
monitored. WAN for Internet-bound traffic or LAN to also catch
local traffic
● Some packages such as bandwidthd and softflowd may
only report or graph once bandwidth has reached a certain
usage level. Quiet or practically idle interfaces may not
show any traffic even when there is a little traffic present

5. Monitoring Feature Comparison
Name Multi-I'face Per IP Graphs Built-In GUI NanoBSD Real-Time
RRD Yes No Yes Yes Yes Yes* No
SNMP Yes No n/a Yes Config Yes n/a
Widget/TG Yes Table Yes Yes Yes Yes Yes
pftop Yes * No Yes Yes Yes Yes
bandwidthd No Yes Yes No Yes Maybe No
darkstat Yes Yes I'face only No Yes Yes Both
iftop No * No No No Yes Yes
ntopng Yes Yes Yes No Yes No Both
vnstat2 Yes No Yes No Yes Yes No
Softflowd Yes * n/a No Config Yes n/a

6. RRD Graphs
● Status > RRD Graphs
● Offers historical, per-interface, total traffic, and per-interface
packets per second graphs
● Built into the base system
● Automatic and on by default, but can be disabled
● Stats are generated using pf counters, so they do not work
with the firewall (pf) disabled
● On NanoBSD the graphs are saved during a clean shutdown
or more often if configured to do so
● Data may be backed up in config.xml

7. SNMP
● Services > SNMP
● Enable, set community, etc.
● Requires an external SNMP monitoring system to
poll the SNMP data and produce graphs
– Cacti, Zabbix, many others
● Per-interface data only, not per-IP
● Some programs support near-real-time
throughput graphing depending on polling options

8. Traffic Graphs (Real-Time)
● Status > Traffic Graphs or Dashboard Widget
● Real-time representation of bandwidth on an
interface
● Status > Traffic Graphs has a table with some
momentary per-IP data (inside the interface subnet)
● SVG, requires a compatible browser
● Have to leave the browser open viewing the graph
to see usage over a (short) time span

9. pftop
● Diagnostics > pftop in the GUI
● Run “pftop” from the shell or option #9 at console/ssh menu
● Information is presented from the pf state table in real time
● pf must be enabled for it to function
● Shows traffic info by state, which includes the source IP
address, source port, destination IP address, destination
port
● List can be sorted in various ways: Age, Expiration, Packets,
Rate, Bytes, Source (From), Source Port, Peak, Destination
Port, None, or Destination (To)

10. bandwidthd
● Package – Install as usual
● Services > BandwidthD
● Check Enable, pick one Interface, check Draw Graphs, click Save
● Offers historical Per-IP address graphs with some protocol info (e.g.
HTTP) shown on the graph
● Users have had issues with the package over time (Service stops
running, install or uninstall issues, booting issues)
● Check Output CDF and Recover CDF to ensure data retention
● Does not hook into privilege system – Accessible to anyone that can
reach the GUI port without authentication
● May install on NanoBSD, but not recommended for use there

11. darkstat
● Package – Install as usual
● Diagnostics > Darkstat Settings
● Select Interfaces, click Save
● Click Automatic Reload for real-time total bandwidth usage graph
● Small, fast/light
● Has per-interface graphs but no per-IP graphs
● Has Per-IP totals/stats including a protocol breakdown
● Supports both IPv4 and IPv6
● Does not hook into privilege system
● Runs its own daemon on port 666, open to anyone who can reach the
firewall on that port without authentication

12. iftop
● Package – Install as usual
● Console only, no GUI menu entry or options
● Easy to use from the shell, provides useful real-
time feedback
● Run: iftop -nNpPi em0
● Several views, press T to toggle

13. ntopng
● Package – install as usual
● Quite large/heavy. The 800lb gorilla of monitoring!
● Visit Diagnostics > ntopng settings first!
– Set Password/Confirm, Interfaces, click Change.
– Set other options as desired
● To view data, visit Diagnostics > ntopng
● Runs its own daemon on port 3000 but includes its own
authentication system. Default credentials are “admin”
and the password set above.
● Has real-time and historical data, per-IP graphs, protocol
data, more information than most people would ever need
● By far the prettiest and best-looking of all options

14. vnstat2
● Package – Install as usual
● Status > vnstat2
● Check box to enable the frontend
● Visit the vnstati tab, pick interface, click Save
● Useful but limited
● Interface summary info and interface graphs, no per-host
data
● Does not hook into the privilege system, accessible to
anyone who can reach the GUI port without authentication

15. softflowd
● Package – install as usual
● Services > softflowd
● Exports netflow data to an external collector such
as nfsen, ntopng on another host, etc.
● The collector records and analyzes data, produces
graphs, etc.
● There is also pfflowd, but it currently does not work
on 2.2, similar to softflowd but uses pf counters.

16. Conclusion
● Several packages can be installed and run
simultaneously but do not install them all
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc