SNMP Bandwidth Monitoring with Node-Red

This is an example of how to monitor the bandwidth usage of a firewall. The data is queried via SNMP from the firewall and visualized via Node-Red. Firewall System in this case is an OPNSense.

SNMP Bandwidth Monitoring Flow with Node-Red

The background: On Linux systems you can’t query utilization via SNMP. You can just query the number of octets transmitted or received on a specific interface.

The trick: Query the octets of input and output interface, wait for 1 second and check query again. Then subtract both values from each other and convert them to MBit/s.

Here are the single node configurations for the Input Utilization:
Start with Inject node: Mark inject once after 0.1 seconds and set repeat to 2 seconds.
SNMP node (WAN interface input): OID 1.3.6.1.2.1.2.2.1.10.1 (beware: no leading dot)
Split node (split): default
Change node: Move msg.payload.value to msg.payload
Head over to the Delay node: Configure a 1 second delay
Add another SNMP, Split and Change Node with same parameters as above
Combine both Change nodes with a Join node (Input): Manual Mode, combine each msg.payload to create an array after a number of message parts: 2
Add a function node to calculate the bandwidth utilization:

msg.payload = msg.payload[1] – msg.payload[0];
msg.payload = msg.payload / 1048576 * 8;
return msg;

At least (for input) add a chart node, label it input and configure x-axis last 1 minute.
To add another graph for Output, just copy and paste the flow above and change the OID in the two SNMP nodes to OID 1.3.6.1.2.1.2.2.1.16.1 for outgoing packets.

Node-Red Dashboard: Bandwidth Utilization WAN Interface

OPNSense / pfSense High Availability

If you have problems with High Availability, CARP and DHCP failover on pfSense or OPNSense, you should check that the interfaces on both systems are the same. It is not the freely assigned interface name that counts, but the names that the system assigned during the initial setup (OPT1, OPT2, and so on). So, if interface VLAN10 on Master is OPT1 and VLAN10 on Backup is OPT2, then some functions like DHCP synchronization will not work! You will see errors like:
„DHCP rejected: Connection rejected, invalid failover partner“ or
„[…] rejected: Connection rejected, invalid failover partner.“ or
„dhcp failover peer state unknown“
It does not matter that the IP connection works! The (system) names of the interfaces are relevant.

Monitoring PV energy generation, consumption, import and export

Since 2013 we have a photovoltaic system with 5.2kWp on our houses roof. In combination with the SMA inverter it was not a big deal to monitor the PV output. There is a webpage of SMA where you can see the outputs for every day, month and year. The inverter itself sends the data to the SMA servers.

Now I wanted to montitor and visualize all the data by myself. And not only the PV output but also the energy consumption. Which means additionally power import and export. To get these data I installed the SMA Energy Meter. With this piece of hardware you are able to monitor the energy flow for every phase in your house. The measured values are then broadcasted, or better multicasted, to your local lan.

I wrote a little programm to receive these multicasts, extract the interesting values and save them in a SQLite database. Additionally I used the SBFSpot tool to get the current PV output from the inverter. The current PV output will also be saved in a SQLite DB. A small webpage collect all the data from the database and visualize them with Highcharts.

Here are some screenshots of the beta version. It also runs quite fast on a Rasperry Pi 2, but currently I use it on Ubuntu 14.04 LTS.

PV Output, Energy Export and Import.
PV Output, Energy Export and Import.

PV Output, Energy Export and Import.
PV Output, Energy Export and Import (Zoom in/Extract)

PV Output only
PV Output only

Shuttle DS57U Network Performance Tests with iperf

Did some network performance tests with my new Shuttle DS57U. I installed the actual IP Fire 2.17 Core Update 89 on a 16GB SDHC Card, connected the Intel i211 NIC to internal (green) interface and the Intel i218LM NIC to the external, red Interface. I also started the OpenVPN Server on the external Interface. Here are the results…

1st test. Plain routing:

iperf -c 192.168.0.200 -w 256k -l 256k -P2
————————————————————
Client connecting to 192.168.0.200, TCP port 5001
TCP window size: 256 KByte
————————————————————
[ 4] local 192.168.1.1 port 52004 connected with 192.168.0.200 port 5001
[ 3] local 192.168.1.1 port 52003 connected with 192.168.0.200 port 5001
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.0 sec 562 MBytes 471 Mbits/sec
[ 3] 0.0-10.0 sec 562 MBytes 471 Mbits/sec
[SUM] 0.0-10.0 sec 1.10 GBytes 941 Mbits/sec

2nd test. Download an ISO image from internet. Proxy and URL filter (ad, adv) were active:

DS57U bwm-ng download

DS57U htop download

30MB/s…this is limited to my 250 MBit/s Internet connection :-/

3rd test. OpenVPN Performance:

iperf -c 192.168.1.200 -w 256k -l 256k -t 60
————————————————————
Client connecting to 192.168.1.200, TCP port 5001
TCP window size: 256 KByte
————————————————————
[ 3] local 10.41.21.6 port 54497 connected with 192.168.1.200 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-60.1 sec 648 MBytes 90.6 Mbits/sec

DS57U htop OpenVPN

More Tests (with different Window Sizes, power consumption etc.) and more Screenshots can be found here.

proFTPd – 530 Login incorrect

If you get an 530 Login incorrect when trying to login to your newly installed proFTP Server, then you should check the following:

  • Did you use the „adduser“ dialog to create your FTP user (instead of useradd -p)
  • Did you configure a „RequireValidShell off“ at the end of your proftpd.conf file?
  • LDAP, PEAP, Cisco ACS and BYOD

    BYOD, LDAP and PEAP is a nice combo. Trying to implement this was a little bit tricky. Here are some hints:
    1. If you use an LDAP like OpenLDAP oder Lotus Notes LDAP, then you must use PEAP-GTC as authentication protocol. MSChap won’t work!
    2. With an Apple iOS you cannot configure which phase2 authentication method you want to use. So, if you enable MSChap AND GTC on your ACS, then the iOS Device will use MSChap. This will result in an authentication reject. Disable MSChap authentication protocol on the Cisco ACS to get these devices working because then the iOS Device uses GTC.
    3. Windows 7 has no native GTC support. If you want to authenticate against an OpenLDAP account database, you must install a 3rd party supplicant. If you have an Intel Wireless Card in your Laptop, you can use the Wireless Utilities downloadable on the Intel Website. After installing these Utilities, you can use GTC as an authentication method.
    4. If you get a lot „EAP timeout“ errors in your ACS Logfile, try to change the EAP Timeout Value in the Wireless Settings (i.e. on the WLAN Controller) from 2sec (Default) to 10sec.

    Cloudstation in DSM4.2 with Active Directory Integration

    I tested Cloudstation on my Synology DS212+ last week. But without AD Integration it was not usefull for me. So I installed latest 4.2 Beta and noticed, that you can also add Active Directory users. In 4.1 you are limited to internal users. Thats really great news for a lot of people out there using a Synology NAS in their company.

    Cisco Secure ACS % Repository not found

    If you are wondering about an error message like „Repository not found“ while trying to patch a Cisco Secure ACS System, just check if the replication status of the ACS Instance is in „updated“ and not in „pending“ or „unknown“. You can only apply a patch if the instance is in „updated“ state.

    acs-1/admin# show repository FTP
    % Repository not found

    Cisco ACS