Ntopng questions

LIGISTX · February 21, 2021, 8:08am

I just installed ntopng, 100% new to this and mostly new to pfsense in general. I am seeing lots of fun alerts and I am not sure if they should be of concern or not… things like this:

I am trying to understand what these mean, and if they are issues I should act upon. I have only opened a single port to the outside word (besides the two that I believe ovpn setup on its own when creating a site to site VPN and a VPN connection to remote into my network with. Just trying to have a better understanding of what I am looking at, and hopefully ease my concern as warnings within networking tools showing connections I don’t know about are obviously concerning - but I am also a noob and am not sure what I am looking at.

LIGISTX · February 21, 2021, 8:09am

Second Image (I can’t paste more than 1 image per post… still a noob 'round these parts).

LTS_Tom · February 21, 2021, 11:26am

LIGISTX · February 21, 2021, 6:54pm

I am still rather confused here. Clicking on any of the “Broadcast Domain”'s in the interface’s section besides my known ISP’s IP, they all “No results found”. I don’t fully understand why there would be “ghost networks” on WAN. Is this just a function of things attempting to hit WAN and being blocked as they should be?

I still have a lot of learning to do with this plugin. Definitely have some youtube watching to do + some reading, but would like to understand what I am looking at here with these warnings.

Also just of quick note, your YT channel did get me using pfsense, setting up site to site VPN’s, vlans, etc (all just for fun homelab usage), so, genuinely, thank you for what you provide - its invaluable

LTS_Tom · February 21, 2021, 10:36pm

Check the ARP table in pfsense and see if there are any entries. ARP Table — pfSense Documentation

LIGISTX · February 22, 2021, 12:07am

Hmm, no entries matching what I see in ntopng, but another strange thing is happening. I see an IP address in the ARP table that keeps popping in and out on one of my subnets, mac address is “(incomplete)”, no hostname, and no status. with Link Type ethernet . What exactly am I even looking at here? I am not sure what device this is as this particular subnet is my homelab network… I definitely know what all of the devices there are, and I do not know what this is. Doesn’t show up in the DHCP list which suggests its not getting a IP through DHCP.

If I go to Diagnostics → states, I do see some udp traffic from this windows PC (20.152) I am using to type this… but I have no idea what machine that this Windows machine is seemingly reaching out to (21.15). I tried to ping it from my PC, I get nothing in return.

Nothing in my homelab is on 21.15 that I know of. The rabbit hole only gets deeper…

Also just to clarify, if I don’t see any ARP hits for the ntop IP’s in question, I should be fine? In ntop they are on my WAN network, but I don’t fully understand what a ghost network would be on WAN.

LTS_Tom · February 22, 2021, 10:23am

Probably something your ISP is doing and as long as you don’t have a WAN rule allowing that network to route inward it should be fine.