ntopng on pfSense & OPNsense

ntopng is a high-speed network traffic analyzer — live flows, top talkers, per-host and per-application breakdowns, geolocation, and historical timeseries, all from a web dashboard running directly on your firewall. Where syslog tells you what a firewall did, ntopng shows you what the traffic is. This guide installs and configures ntopng on both platforms, noting where their approaches diverge sharply: OPNsense has a clean supported plugin, while pfSense's built-in package is best replaced with the upstream build.

Tool: ntopng (+ Redis) · Platforms: pfSense · OPNsense · UI: web on port 3000

01 — How ntopng Fits on a Firewall

ntopng sniffs packets on the interfaces you point it at and builds a real-time picture of every flow. It needs a companion Redis instance for its key-value store, and it writes timeseries data to disk. On a firewall it most commonly watches the LAN and WAN interfaces to see traffic in both directions.

Component	Role
ntopng	Captures and analyzes traffic; serves the web dashboard (default port 3000)
Redis	Required dependency — backing store for ntopng's state and counters
nProbe (optional)	Lightweight flow exporter, for the "offload to a bigger box" model in section 07

⚠ ntopng writes traffic data to the firewall's disk. On appliances with small storage (many SG/embedded units), an unbounded timeseries set can fill the disk and destabilise the system. Limit how much it retains, or use the nProbe-to-remote-ntopng model for anything beyond a modest network.

02 — OPNsense: Install the Plugin & Redis

OPNsense ships a maintained ntopng plugin, so this is the smoother of the two. Redis is a hard dependency and installs as its own plugin. Do Redis first.

Step	Action
1	System → Firmware → Plugins, install `os-redis`
2	Services → Redis, tick Enable Redis, click Apply
3	Back in Plugins, install `os-ntopng`
4	Log out and back in so the new Services → ntopng menu appears

ℹ If you skip Redis you'll get a warning in ntopng's own menu and the service won't run. The plugin won't install Redis for you — enabling the os-redis service is the one prerequisite that makes everything else work.

03 — OPNsense: Configure & Start

Go to Services → ntopng → General, turn on Advanced mode, enable the service, choose interfaces, and set the admin password.

Field	Value
Enable advanced mode	Yes (exposes the interface selector)
Enable ntopng	Yes
Interfaces	Select LAN (and WAN if you want both directions)
HTTP port	3000 (default)
Admin password	Set a strong one — it's the dashboard login

Click Save, then confirm under System → Diagnostics → Services that ntopng is running. Browse to http://your-firewall-ip:3000 and log in as admin with the password you set; you'll be prompted to change it on first login.

ℹ If the interface selector is empty or network discovery shows nothing, that's a known plugin quirk on some releases. You can still pick interfaces inside ntopng's own UI — but note that explicitly setting an interface in the plugin means only that interface appears in the ntopng UI afterward.

04 — pfSense: Why Not the Built-in Package

pfSense lists an ntopng package in System → Package Manager, configured under Diagnostics → ntopng Settings (enable service, set admin password, pick the LAN interface). It's the quickest path and fine for a quick look — but it has a long track record of problems.

Known issue	Effect
Stale version	The packaged build lags far behind upstream ntopng
Config wiped on restart	On some versions a service restart loses interface renames, alert endpoints, etc.
Instability	Reports of the service repeatedly restarting or running slowly

ℹ If you just want a fast look and don't mind the rough edges, install the GUI package, set it up under Diagnostics → ntopng Settings, and skip to section 06. For anything you'll rely on, use the upstream build in the next section instead.

05 — pfSense: Install the Upstream Build

The reliable route on pfSense is the official ntop.org FreeBSD build, installed from the shell. SSH in or use the console and choose option 8 (Shell). First remove any GUI-installed ntopng so the package manager doesn't try to pull out system components.

Remove the built-in package first (if present)

pkg remove ntopng rm -rf /var/db/ntopng

pfSense Plus only: trust the ntop repo certificate

# /usr/local/etc/pkg/repos/ntop.conf ntop: { env: { SSL_CA_CERT_FILE=/usr/local/share/certs/ca-root-nss.crt }, fingerprints: "/usr/local/etc/pkg/fingerprints/ntop", url: "https://packages.ntop.org/FreeBSD/${ABI}/latest", signature_type: "fingerprints", priority: 100, enabled: yes }

Install ntopng + redis

pkg update pkg install ntopng redis

⚠ Match the ntop repository to your pfSense's FreeBSD base (e.g. FreeBSD 14 for pfSense CE 2.7 / current Plus). The exact pkg add bootstrap command is on packages.ntop.org/FreeBSD — copy the one for your edition. Installing a mismatched ABI is the usual cause of failed installs.

06 — pfSense: Configure, Enable & Persist

Copy the sample config, then enable both services. ntopng depends on Redis, so Redis must come up first.

Create the config

cp /usr/local/etc/ntopng/ntopng.conf.sample /usr/local/etc/ntopng/ntopng.conf chown ntopng:ntopng /usr/local/etc/ntopng/ntopng.conf

Find your interface names, then edit the config

ntopng -h # lists capturable interfaces (e.g. em0, igb1, vlan10) # In ntopng.conf set, for example: # -i=igb1 (LAN) # -i=igb0 (WAN) # -w=3000 (web UI port) # --community (run in free Community mode)

Enable services

sysrc redis_enable="YES" sysrc ntopng_enable="YES" service redis start service ntopng start

⚠ pfSense ignores standard rc.d scripts at boot, so a shell-installed ntopng won't survive a reboot on its own. Install the Shellcmd package (System → Package Manager) and add start commands there so Redis and ntopng come back after a restart.

Browse to https://your-firewall-ip:3000 and log in (default admin / admin on a fresh upstream install — change it immediately).

07 — Large Networks: Offload with nProbe

Running full ntopng analysis and on-disk timeseries directly on a busy firewall competes with the firewall's real job and can exhaust storage. ntop's recommended pattern for larger networks splits the work.

Where	Runs
On the firewall	nProbe — lightweight, low-resource flow exporter, minimal disk use
On a LAN host / VM	ntopng — receives the exported flows, does the heavy analysis and storage

nProbe exists as a plugin on OPNsense (os-nprobe) and from the same ntop FreeBSD repo on pfSense. The firewall stays lean; the analytics box can be sized for retention. This is the right architecture once a single firewall-hosted ntopng starts struggling.

ℹ The dedicated-box approach also sidesteps the whole pfSense packaging mess: run ntopng in a container or on a small Linux VM, and the firewall only needs the tiny flow exporter.

08 — Using the Dashboard

Once traffic is flowing, the ntopng UI gives you live and historical visibility. A few starting points:

View	What it shows
Dashboard	Live top talkers, top applications, throughput at a glance
Hosts	Per-host traffic, contacted peers, protocols, and risk indicators
Flows	Active flows in real time — source, dest, protocol, bytes
Interfaces	Per-interface stats; switch between the interfaces you enabled
Alerts	Triggered behavioural and threshold alerts

ℹ For naming and geolocation, set a DNS resolution mode and load the MaxMind GeoLite2 databases (the pfSense GUI package has an Update GeoIP Data button; upstream/OPNsense need the GeoLite files placed manually). Without geolocation, the world-map and country views stay empty.

09 — Reference & Troubleshooting

Item / Symptom	Value / Fix
Web UI	http(s)://firewall-ip:3000
Dependency	Redis must be installed and running first
OPNsense install	Plugins: os-redis + os-ntopng; configure under Services → ntopng
pfSense (reliable)	Upstream ntop.org FreeBSD build via shell + Shellcmd for boot
Service won't start	Check Redis is up; check `redis.conf` `dir /var/db/redis/`
No interfaces listed	Run `ntopng -h`; set them in config (pfSense) or in ntopng UI (OPNsense)
Disk filling up	Limit retained timeseries, or move analysis off-box via nProbe
Config lost on restart	Symptom of the buggy pfSense GUI package — switch to the upstream build