nprobe and local network NAT questions

[jult]

A setup for a workplace I manage involves:

• A debian 12 router, with 10 physical interfaces;
  1 is connected to a (CGNAT) internet modem, we have named it "wan".
  All other 9 physical interfaces are members of a (virtual) bridge interface, and (for now) only use 1 subnet (192.168.1.0/24). There are around 210 devices in the LAN, all using this same subnet. The 9 interfaces are connecting to several switches further on.
  This debian router does NAT between the wan interface and bridge interface using this nftables.conf:

#!/usr/sbin/nft -f

# Flush existing rules
flush ruleset

# Define NAT table for IPv4
table ip nat {
    chain prerouting {
        type nat hook prerouting priority -100;
        policy accept;
    }

    chain postrouting {
        type nat hook postrouting priority 100;
        policy accept;

        # NAT for the WAN interface
        oifname "wan" masquerade
    }
}

# Forwarding rules to allow traffic through the router

table ip filter {
    chain input {
        type filter hook input priority 0; policy accept;
    }

    chain forward {
        type filter hook forward priority 0; policy accept;

        # Forward traffic from LAN (br0) to WAN (eth0)
        iifname "brs0" oifname "wan" accept

        # Forward traffic from WAN (eth0) to LAN (br0)
        iifname "wan" oifname "brs0" accept
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

On the same host we have ntopng running with this config:

# cat /etc/ntopng/ntopng.conf

-i=tcp://127.0.0.1:5556
-m=192.168.1.0/24
-n=1
-F=clickhouse
-G=/run/ntopng.pid
-w=3000
-q=
-e=
-d=/mnt/ssdx/ntopng
-X=32000
-x=8000

and nprobe:

# cat /etc/nprobe/nprobe.conf

--zmq=tcp://*:5556
-i=wan
-i=brs0
-n=none
-T=@NTOPNG@
-G=/run/nprobe.pid

We have set both the wan and the bridge interface in nprobe, because when we'd only set wan, we would not see any LAN devices at all.

Is this the right configuration for this NAT setup? How does nprobe deal with local NAT?

When we'd like to see a list showing traffic excluding the LAN to LAN bytes (strictly limiting it to LAN>WAN and WAN>LAN traffic), we are not sure how to accomplish this, or if it does that already when we see "Top Local Hosts". Looks like it's also counting the LAN <-> LAN flows there now. Any advice on this is welcome. Yes, we can create Traffic profiles, but that's not shown in Traffic Reports (or any of the templates we create for it).

Also, the config options in ntopng are confusing us:

Use Post-Nat Destination IPv4 Addresses and Ports
Replace IPv4 destination addresses (%IPV4_DST_ADDR) and ports (%L4_DST_PORT) with their post-nat values (%POST_NAT_DST_IPV4_ADDR and %POST_NAT_DST_TRANSPORT_PORT).

Use Post-Nat Source IPv4 Addresses and Ports
Replace IPv4 source addresses (%IPV4_SRC_ADDR) and ports (%L4_SRC_PORT) with their post-nat values (%POST_NAT_SRC_IPV4_ADDR and %POST_NAT_SRC_TRANSPORT_PORT).

Should we enable these (since our wan interface gets a CGNAT address. not a public IP) or better yet: Does this work for the localized NAT on this host as well?

Any advice on this is welcome. Thanks in advance, and I bet you more users would benefit, as it's not really clear from the docs how to deal with NAT when it happens on the same host where flows are collected.