I’m looking to deploy a simple appliance in our home network to monitor and, if required, block some WIFI traffic of our children’s devices. So far I’ve tried OPNSense, which I didn’t manage to get running with the RTL8812AU-based WIFI stick and OpenWRT, where I wasn’t able to find adequate monitoring tools. Now I’m trying IPFire. The installation is on a small x86_64 machine, that has two Ethernet ports (one for “WAN” that actually connects to our internet router and one spare for LAN) and an ASUS USB-AC56 WIFI stick to serve as an access point.
The setup went very smoothly, all the network interfaces (including the WIFI stick) were immediately recognized. AP setup also went fine after installing hostapd and the WIFI appears to work well, of course within the limits of this relatively old WIFI stick.
But what I’m struggling with now is how to configure and use the features for which I’m doing all this, namely being able to monitor the traffic. I’d like to see what sites were accessed recently, with the data either coming from the DNS resolver or based on the accessed IP addresses (or both). I don’t need to get very deep insights, the domains themselves would already be fine. An option that works without needing to configure a web proxy on the client devices would also be preferable.
My feeling is that I’m just missing something obvious, as I think I’m not the only one looking for such insights. But I haven’t managed to find it…
My questions:
Does IPFire provide some kind of host-resolved traffic monitor out of the box or via a supported plugin?
Is there a log of DNS requests available in the WUI?
Hello and welcome to the IPFire community.
For what you’re asking, you’ll need to perform some system configurations.
First, you need to ensure that each connected client routes its traffic through the proxy.
To do this, I invite you to read the guide:
Another configuration you’ll need to perform is to block the use of DNS servers that aren’t managed by IPFire.
Thanks again for the suggestions. I followed the guide to configure the proxy and tested it with my mobile. It appears to work, but:
My phone runs on Android and when I just connect to a WIFI network, it defaults to no proxy; so I need to manually edit the settings, set it to “Proxy Auto-Config” AND enter the full URL to the “proxy.pac” file, which kind of defeats the purpose of the auto configuration…
With most traffic going over HTTPS nowadays, the proxy logs reveal little more than just the DNS names (as expected)..
As far as I see, I can only get the Proxy logs as a list of accesses, with no further processing/summarization by default.
Maybe I should just describe what I’m looking for: I’d like to get a list of domains that were accessed, optionally filtered by the client address that requested them. To make the view useful, some aggregation would certainly be required, like “last access”, “DNS hits”, “Bytes downloaded” and “Bytes uploaded” or something in this way, with sorting capabilities. A feature to directly block a host based on DNS or host address from this list using a firewall rule would be a nice to have, but no requirement; I could add the necessary firewall rules manually if required.
Since all the traffic flows through the firewall, it should be rather straightforward to get the data; it’s more about having a feature to aggregate and display the results in an easy way.
Does IPFire provide this natively, or is there a plugin to get this?
I’ve now just bought an off-the-shelf access point (TP-Link AX55), which provides better WIFI coverage and lets me see and block traffic. It probably just aggregates and filters by DNS, but that’s ok. So the “problem” is solved for me, but in case there is a good way with IPFire to do this, it might still be worth posting it here for reference.
Indeed, the AX55 can operate both as a router or a true access point. Analysis/filtering is not available in access point mode, so yes, we’re actually running it in router mode and the WIFI clients are in a different subnet than the wired clients. But this doesn’t matter for us, we’re using it as if it was only an access point that is connected behind the internet router.
