Router advice

[Nullity]

For a medium to large business, I agree that the asus choices can't handle it. Yet, the OP did specifically reference those asus reports. Even you have to admit that there's NOTHING in pfsense that can do that. You can get a significant amount of data if you're willing to add more machines (and different software) for SNMP, consuming netflow, etc. You might be able to get data per IP address (and could, in theory, consolidate that to data per host if MAC addresses are part of the data flow.) You'd still be missing L7 information that the OP referenced.

Of course, at that point, you might as well mirror the WAN and LAN ports and have something extract the needed data from the raw packets. At least that way you'd have the raw packets to do DPI on and get the L7 reports.

...and it's still not something pfSense can do. (At that point, it'd be a completely separate product doing it.)

@sfx2000, don't get the wrong idea from my posts - I'm not bashing pfsense or any other product (except for untangle and the other non-ipv6 compatible products.) I'm responding directly to the OP in regards to the reporting capabilities. I've also clearly stated that for ROUTING capabilities, things like pfsense, routerOS, etc are superior. However, for reporting of "real time monitoring like bandwidth per client per App" (quote from the OP), at least pfSense doesn't have it, and there's nothing much you can do to add it. The closest I've seen is the incomplete (and out of data) ntopng package.

If I'm wrong, I'm good with that - but just typing that you can add this, that and the other thing without specifics, without examples, and without even screenshots.. isn't helpful. Perhaps a link showing something that can be done? A sample report? Anything? To be completely honest, I desperately WANT to be wrong. I'd love to be able to load up a couple pfsense packages and suddenly get real time per host per app usage data. If you remember, it was something I specifically asked for when I started this journey.

...

Look at NASA's FlowViewer, a netflow analyzer which works with anything that can export netflow metadata. Yes, it can view real-time traffic (and I used it with pfSense).

https://sourceforge.net/p/flowviewer/wiki/Home/

 

[kvic]

However, "small" is very relative. It can also be 50 or 75 people - in which case that Asus wireless router might have a hard time. For THAT, you'd certainly want a dedicated box as your router. As well, at that point, those detailed usage monitors are going to be useless, as I seriously doubt that the Asus router (any of them) would have the horsepower to keep live stats on so many users.

Over 50 is already a medium size business. Depends on its nature, the business will have hired a in-house IT support or outsourced to a contractor. Recall OP mentions "wireless disabled" so 50-100 users will be fine for Asus.. Just don't browse around AsusWRT GUI that often. I would bet some parts of its GUI e.g. networkmap, DHCP client list etc might blow up with so many clients. The DPI engine/traffic monitor & statistics part actually may survive a much longer period as it runs in kernel mostly. But with so many users the memory leak will be accelerated and that speeds up its eventual crash.

For small biz, consumer routers are good enough tools for many situations. Biz owners care about its core business more than looking at fancy charts of network statistics.

 

[sfx2000]

Just don't browse around AsusWRT GUI that often. I would bet some parts of its GUI e.g. networkmap, DHCP client list etc might blow up with so many clients. The DPI engine/traffic monitor & statistics part actually may survive a much longer period as it runs in kernel mostly. But with so many users the memory leak will be accelerated and that speeds up its eventual crash.

For small biz, consumer routers are good enough tools for many situations. Biz owners care about its core business more than looking at fancy charts of network statistics.

A primary concern with small biz - stability - which you pointed out quite well - don't do this, or it might crash, don't do that, or it might crash - turn on wifi and it might explode with too many associations...

And this/that - isn't that the premise of the OP's ask - in other words, yes it's nice, just don't use it very often... or it might crash...

Going back to OP's ask - reporting is more important for him perhaps - or this is just an exploratory ask... but your response above is a great set of reasons why a Consumer AP/Router isn't the right choice for a small business concern...

 

[garyd9]

Look at NASA's FlowViewer, a netflow analyzer which works with anything that can export netflow metadata. Yes, it can view real-time traffic (and I used it with pfSense).

...another tool that doesn't report per app (level 7) data?

With NetFlow, there are hundreds of apps that can do some really nice reporting, but NOT per app. At best, they'll give a src/dest address, protocol (tcp/udp/icmp/etc) and port number. That MIGHT be enough data to guess what app is being used, but without some form of L7 packet inspection (which either has to happen on the router, or on a mirrored port), it doesn't address the request.

 

[System Error Message]

with routerOS you can use root shell if you hack it which involves booting openwrt on it and going through the file system.

But for normal use realtime data is shown as stats on the rules or interfaces or using the dude server package on the routerboard which you can connect to from the client using your PC.

 

[garyd9]

with routerOS you can use root shell if you hack it which involves booting openwrt on it and going through the file system.

But for normal use realtime data is shown as stats on the rules or interfaces or using the dude server package on the routerboard which you can connect to from the client using your PC.

I really, really, really need to spend the time to REALLY play with routerOS. I'm close to using up the 24 hour "trial" period on my image and will be popping back into demo mode soon. Hopefully I can still play with some of those things in the really limited demo mode. (Or I can just start with a new VHD image. No guilt on my part when I'm just tinkering with it and not actually routing traffic.)

 

[System Error Message]

I really, really, really need to spend the time to REALLY play with routerOS. I'm close to using up the 24 hour "trial" period on my image and will be popping back into demo mode soon. Hopefully I can still play with some of those things in the really limited demo mode. (Or I can just start with a new VHD image. No guilt on my part when I'm just tinkering with it and not actually routing traffic.)

You will need to start with a new image. Still if you're just learning it before you buy instead of trying it out for your business than that would be better.

Routing traffic is easy and if you let me know how you want to route traffic i can show you some examples. I have worked up a firewall ruleset for home configuration and taking into account vpn and port forwarding. For QoS there really isnt a one size fits all as it depends on how you set your rule logic and the QoS algorithm you use and how effective you are able to identify your traffic usually using mangle or l7.

As for the routerboard itself if you want to get embedded rather than using x86 or one of those x86 boxes that are made for things like pfsense than i would suggest a multicore routerboard if you wish to run dude on it. That means minimum of rb850gx2 or rb3011 depending on your required throughput.

 

[Nullity]

...another tool that doesn't report per app (level 7) data?

With NetFlow, there are hundreds of apps that can do some really nice reporting, but NOT per app. At best, they'll give a src/dest address, protocol (tcp/udp/icmp/etc) and port number. That MIGHT be enough data to guess what app is being used, but without some form of L7 packet inspection (which either has to happen on the router, or on a mirrored port), it doesn't address the request.

I think you are over-estimating the usefulness of L7 firewalls when encryption is used.

"Normal" firewalls are useful enough.

 

[garyd9]

I think you are over-estimating the usefulness of L7 firewalls when encryption is used.

"Normal" firewalls are useful enough.

Perhaps, but this is all in reference to reporting and real time reporting, not blocking/allowing traffic.

 

[Nullity]

Perhaps, but this is all in reference to reporting and real time reporting, not blocking/allowing traffic.

These things are not mutually exclusive.


I think our primary confrontation is that it these monitoring solutions are not point-n-click, which is a valid problem. The netflow analyzer I mentioned is not a simple installation (for me), but I am a "power-user" at best, so these enterprise solutions requires reading ("Traffic Monitoring" from No Starch Press, IIRC).


Regarding the other complaint; L7 is nonsense (for clients) IMO, but integrating FlowViewer or some other netflow analyzer is probably a great idea.

 

[garyd9]

I think our primary confrontation is that it these monitoring solutions are not point-n-click, which is a valid problem. The netflow analyzer I mentioned is not a simple installation (for me), but I am a "power-user" at best, so these enterprise solutions requires reading ("Traffic Monitoring" from No Starch Press, IIRC).

Regarding the other complaint; L7 is nonsense (for clients) IMO, but integrating FlowViewer or some other netflow analyzer is probably a great idea.

Why is this going around and around in circles? The OP references "per client per app" monitoring on the Asus router - which is L7:

... the most use full is the real time monitoring like bandwidth per client per App that other router does not look like they have...

I recently had the Asus router. In fact, in a different thread, I posted a link to a screenshot of one of those monitoring apps that include L7 data. There's no question whatsoever if it is or isn't L7 data. What it shows, and the (amazing high) level of accuracy can ONLY be had with deep packet inspection. In fact, when I was playing with it, it was accurate enough to be able to differentiate between P2P clients (showing some traffic as "transmission" and other traffic as "uTorrent" when both of those clients use random ports.)

NetFlow does not have DPI capabilities, as Netflow doesn't export or transmit full packets to a netflow collector, so DPI can't be done.

What absolutely AMAZES me about this thread (and another one) is that no one seems to be willing to just admit that "pfSense (or whatever other router product) can't do it." Instead, there are responses about dedicated management systems costing thousands of dollars (that don't do deep packet inspection), expensive netflow systems (which, again, can't do L7) or... my new favorite: It's nonsense.

Really?

That's SO typical of the kind of crud I see on the pfSense forum. Instead of answering questions that might make pfSense look like a lesser product, people will instead attack a person asking a question with "That's dumb" or "you're an idiot because you want that", etc.

I thought snbforums was a better place. I guess not.

Guess what? PFSENSE CAN'T DO IT. It's also not nonsense. In both homes AND in business, it can be VERY useful to observe not only that traffic exists, but WHAT is using that traffic. When some of that traffic (which can be of interest to businesses) is hiding in SSL encryption, constantly changing IP addresses, and hosts with no PTR records, L7 (or DPI) is the only way to even hope of getting a hint that your employees are watching videos, playing online games, posting on social networks, etc.

You think it's nonsense? Then why are you responding in a thread where the OP specifically references it?

(BTW, this was intended to be blunt, but not rude. If it's rude, please accept my apologies.)

 

[Nullity]

You are right gary.

There is no solution to your problem.

 

[sfx2000]

Guess what? PFSENSE CAN'T DO IT.

Yes... it can -- http://www.ntop.org/products/traffic-analysis/ntop/

ntopng is the collector, and your can point things to any other packet for data analysis.

To be honest - L7 stuff is outside of the scope of what pfSense generally is intended to do... no big deal - use something else, maybe pfSense isn't meant for you...

 

[sfx2000]

Here's a nice overview of ntopng

 

[garyd9]

Yes... it can -- http://www.ntop.org/products/traffic-analysis/ntop/

ntopng is the collector, and your can point things to any other packet for data analysis.

To be honest - L7 stuff is outside of the scope of what pfSense generally is intended to do... no big deal - use something else, maybe pfSense isn't meant for you...

THANK YOU for actually addressing the question.

As mentioned earlier in the thread, ntopng is about the closest you'll get with pfsense, and the version currently available as a package (for pfsense) is a bit out of date. It's more of "used alongside of" package instead of something integrated, but it's better than nothing. In fact, I'm trying to look into what might be needed to get it working better with pfSense (including doing the work myself and submitting pull requests.)

BTW, @sfx2000, as I'm sure you don't intend to spread misleading information, I should point out that the video you linked is to a "pro" version (that isn't available as a freeBSD port) and shows filtering (which isn't available in the pfsense package.) Despite that, it DOES somewhat address the OP's desire.

 

[Chrismallia]

Hi thank you all for your replies you where all helpful and have good info, the question I asked is due to 1 customer I have wants to view what devices/ apps are using bandwidth and I could not find any good quality monitoring in any other router including pfsense using ntopng was sluggish had to refresh pages sometimes to get the right info and still as garyd9 keeps pointing out and I thank him for understanding my situation nothing seams to monitor in detail as much as asus wrt, but I decided am not going to take the risk in installing consumer router In a business

 

[garyd9]

@Chrismallia, I don't know if this will work, but try to head over to sophos.com and read up on their "UTM" software. (Not the XG Firewall.) You can get a demo or home license for it, and if you install it between your router and switch (So it wouldn't be acting as a router itself) even on a VM, it _might_ be useful to generate the type of usage reports your looking for (without the normal license limitations.)

If you have no need for IPv6, you might be able to do something similar with Sophos XG Firewall (also with a free license) or perhaps (as another user mentioned) untangle. (However, I'm not familiar with the fee/license structure of untangle.)

I can't make any promises on how good the data would be. I know those products do L7 reporting, but I don't think they do it as accurately as the asus products do, and I'm not sure if they do it in realtime or not. (Asus get's that from trendnet, right? I wonder if trendnet has a software product for sale for that purpose?)

On the other hand, those products can, I think generate real printable reports with the data instead of just showing pretty graphs. For many, that would be more useful than having to stare at the screen in real time.

 

[kvic]

Glad to see towards the closing.. I would leave some remark in case future visitors land on this thread.

Seems Asus' DPI based traffic statistics are highly regarded by some and called out as accurate and non-existent on other platforms. None of the statements are true.

From my last check, its classification isn't accurate. Its numbers don't add up. But not bad esp for a consumer router. The thing that bugs me most is the DPI engine leaks memory. The longer you run. The more you leak until the router crashes. http://www.snbforums.com/threads/kmalloc-96-memory-leak-in-kernel.32970/

Happy to re-evaluate when Asus fixes the issue.

 

[Samir]

Once upon a time, there was no such thing as consumer gear or business gear or even enterprise gear. There were only specs and requirements--and you matched whatever fit the requirements. I actually still use this approach and recommend it when someone is on the fence between high-end consumer gear and smb gear.

Glad the discussions here resulted in helping the op. Definitely a lot of information to digest.

 

[Chrismallia]

Hi guys just want to let everyone here to know I tried out Untangle 12.11 as some suggested and it is great the new reporting is fantastic you can see in realtime what sessions,bandwidth, sites visited by user or device, how much each device is downloading most used Apps and it also has great layer 7 filtering and inspection. Granted the paid Apps are the way to go if you want a great web filter,bandwidth control,Application control,bit diffender AV,policy manager and so on but it is worthit