Why not use Macvlan and join your Dockers to that rather than a bridge to Tailscale or Cloudflared? Then they are broken out so you can apply monitoring.
I use Pi-Hole & NextDNS for all my DNS and I check once a week, for extra security I run a Fortigate 61E with AV/IPS and of course VLAN just for IoT and NVR.
Do you monitor network traffic?
Generally, no. But I seriously restrict container networking, most of my containers are unable to reach internet, unless absolutely necessary. Also, my firewall is not super-restrictive, but it is different from defaults :)
Sometimes I do some monitoring though.
RemindMe! 5 days
You probably want something like netgenius one. That's enterprise grade but might be a good starting point to research. Alternatively you could look at ips/ids systems that can apply a set of definitions or rules to the analysis, ubiquiti or fortinet has some solutions for this sort of thing but I'm sure there are alternatives out there which would be better depending on your needs.
You are kind of asking several questions here though and may need to clarify a bit what goal you have in mind for the solution you are looking for.
I use cadvisor to get stats and Prometheus and grafana. Works very well
I have my Unifi Switch mirror the trunk port and send that to Splunk Stream, but I haven't found it that useless to have that level of data.
I use my fortigate router as it logs everything natively. Logs DNS request, outbound traffic, internal lan local traffic, and so much more
Zabbx agent on my docker host, can monitor traffic per container.
It seems as if you would like to see all traffic identified up to layer 7. That is pretty much enterprise level traffic inspection. I’ve done a lot of it on the edge of our network using a Palo Alto firewall with pretty much all software licenses enabled. I could create full blown reports of single users and/or applications. I sure did point out some co-workers ánd applications who where misbehaving on our network.
Following
RemindMe! 3 days
Ok it’s time bro
Awesome, thank you mate 😉🤝
ReminMe! 2 days
RemindMe! 2 days
I do. I monitor it in a lot of ways.
Wireguard and Cloudflare Tunnels make network traffic monitoring difficult because it's all encrypted traffic.
What do you use for l7 firewalls?
I would suggest looking at Wazuh and setting up a SIEM stack based on it. It would provide what you need and is highly customisable to needs.
I’ve gone down this rabbit hole and have yet to find a solution I like. The only routes I haven’t gone down yet are the grey log or sec onion, as the learning curve is steep.
I do use crowdsec and that has been semi-helpful at showing me where a scanner is trying to poke around and on what service.
I currently use ntopng’s community version and that’s been acceptable for now. Some parts are a bit confusing and the documentation didn’t help me understand, but the tables are really well laid out and I can easily see the server/cliebt relationship with in and outbound traffic. I’ll try and share screenshots of how it looks for me to see if that helps you.
Depending on what you run for a perimeter device, but elasticsearch is free and can give you incredible visibility into your network.
That said, it can be a bit of a beast to learn.
Simpler deployment is how I have it, running as Zenarmor Sensei inside my opnsense router/firewall which IS my edge.
There's also Prometheus and grafana. Grey log.
Lots and lots of options however, just need to feed these log engines your syslogs.
That's the magic ticket!
I have been using libreNMS for over four years and love it. I started to play with checkmk for its agent but found the network side of checkmk is also lovely/easy to work with. I recommend looking at either of these. Both can run in docker or docker-compose.
RemindMe! 8 hours
Securityonion is a great ids system. I used their distributed system, so I have 1 mini pc as a sensor and another as a manager/search. Works wonderful.
I have a pfsense and use ntopng
RemindMe! 7 days
I own a WISP with about 100 clients and admin another wisp/fisp with around 500 clients.
I love "the dude" by mikrotik. It pulls data via SNMP and gives me a great heads up overview of everything. it also graphs the data over time.
I use LibreMNS also to pull network data via SNMP and it graphs historical data.
RemindMe! 3 days
RemindMe! 2 Days
Easy, set up a mail server, then 98% of your traffic will be inbound attack attempts on that. Like mine...
Do you mean I should monitor my email server running on a XP?
Yep, monitoring in multiple places with Zabbix
I have pfSense as well (soon to be OPNsense) and that shows traffic per network it's connected to, so that's great for live traffic
Zabbix monitors the networks and collects traffic data
Zabbix also monitors all containers and their network traffic
I was recently thinking about setting up a transparent squid proxy at router level, I'm curious if it could be useful in this context.
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
For Example
We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.
Useful Lists