Router Miscellaneous

Monitoring

There are a number of linux monitoring packages available. See these links for more examples see, 13 Linux Performance Monitoring Tools – Part 2, and 30 Linux System Monitoring Tools Every SysAdmin Should Know. Below are a few that I have tried and use.

iftop - display bandwidth usage on an interface by host
Use man iftop to see options.
Typical usage: sudo iftop -i br0

nethogs - Net top tool grouping bandwidth per process
Use man nethogs to see options.
Typical usage: sudo nethogs br0

Darkstat – A Web Based Linux Network Traffic Analyser, is a relatively low resource network analyser. It has a web browser interface and can provide the perfornace statistics for the main interconnection as good or better than expected in a packaged router. Another reference: How-to monitor system bandwidth usage statistics with Darkstat on Fedora.

The darkstat output can then be seen on a web browser at 192.168.1.1:667


Glances Options

The best hot key is 'h' which displays/hides the help screen

Below are the list of several hot keys.

  • a – Sort processes automatically
  • c – Sort processes by CPU%
  • m – Sort processes by MEM%
  • p – Sort processes by name
  • i – Sort processes by I/O rate
  • d – Show/hide disk I/O stats ols
  • f – Show/hide file system statshddtemp
  • n – Show/hide network stats
  • s – Show/hide sensors stats
  • y – Show/hide hddtemp stats
  • l – Show/hide logs
  • b – Bytes or bits for network I/Oools
  • w – Delete warning logs
  • x – Delete warning and critical logs
  • 1 – Global CPU or per-CPU stats
  • h – Show/hide this help screen
  • t – View network I/O as combination
  • u – View cumulative network I/O
  • q – Quit (Esc and Ctrl-C also work)

glances as a service

Setup a systemd file for glances as a local web service sudo vim /lib/systemd/system/glances.service

[Unit]
Description=Glances
Documentation=man:glances(1)
Documentation=https://github.com/nicolargo/glances
After=network.target

[Service]
ExecStart=/usr/bin/glances -w -t 2
Restart=on-abort

[Install]
WantedBy=multi-user.target

After modifying a systemd file update systemd: systemctl daemon-reload

The glances output can then be seen on a web browser at 192.168.1.1:61208


I tried ntopng. Unfortunately this program suite simply uses too many resources on my router which loads it up close to 100%. There are often reports of dropped packet and such, further indicating overload.
I have decided to disable. Worse than this this package suite caused difficulties with my system updates, so I removed it entirely. Note that this may be as it was previously disabled.
Another thing I do not like about this package is that the free version is a cut down of the full paid version. There is no general individual personal free full use version available.

There seem to be 2 main services to enable/disable/start/stop, nprobe and ntopng:

  • sudo systemctl stop ntopng | to stop (or start)
  • sudo systemctl disable ntopng | to disable (or enable) starting on computer startup
  • sudo systemctl stop nprobe | to stop (or start)
  • sudo systemctl disable nprobe | to disable (or enable) starting on computer startup

We can also turn-off the redis service unless something else wnat to also use.

  • sudo systemctl stop redis | to stop (or start)
  • sudo systemctl disable redis | to disable (or enable) starting on computer startup

Docker Setup & Basic Commands

The Docker installation instructions for Ubuntu from Docker Get Docker CE for Ubuntu.

This is pretty old, I played with it circa 2017, and have not used Docker since. I have successfully been using full KVM based VMs for my main machines and so have not had much need for Docker
That being said, I can see the benefits of containerisation, such as Docker, versus full virtual machines, such as KVM. Of course there are also benefits with full VMs!.

Docker currently by default use iptables on the host machine to allow access to images. Unfortunately the default iptables effectively fully opens up docker on the host, which is probably a significant concern when the host is also used as a router. Docker host can be configured not to update iptables on the host, in this case all routing between the host and Docker images must be performed manually.

Stephank.nl considers IPv6 with Docker and using nftables IPv6 on production Docker

Docker and iptables configuration @startup

Docker and IPtables

Configure iptables for Docker manually and allow Internet access for containers

Debian Firewall when using Docker

Docker container networking

Setting up docker containers with nat

Iptables rule-set so that a docker container can access a service on a host IP

This is old, I played with this circa 2017 and have not used since. I certainly have no interest in Algo IPSEC VPN anymore and have been trying to get Wireguard working recently.

Comparison of VPN protocols

Algo VPN old tl;dr;

Docker Docs Use the Docker command line

OpenVPN server in a Docker container complete with an EasyRSA PKI CA kylemanna/docker-openvpn

How to Geek - How to connect to a VPN from your iPhone


It took me some time to track down this authoritative information, but it was relatively simple as this information is authoritatively define in RFC (Request of Comments) de facto standards as noted below.

IANA Service Name and Transport Protocol Port online Number Registry

RFC 3232 replaced RFC 1700. RFC 3232 states that RFC 1700 has been replaced by an online database, see link given above. RFC 6335 also has information on Port Number Registry and the associated database.

Most Unix like operating systems have a service name database file: /etc/services. It is assumed that nft uses the /etc/services database for named ports definition.

Some ports of interest:

Name      Port Protocols        Description
ftp-data  20   {tcp, udp, sctp} File Transfer [Default Data]
ftp       21   {tcp, udp, sctp} File Transfer Protocol [Control]
ssh       22   {tcp, udp, sctp} The Secure Shell (SSH) Protocol
smtp      25   {tcp, udp}       Simple Mail Transfer
domain    53   {tcp, udp}       Domain Name Server (DNS)
bootps    67   {tcp, udp}       Bootstrap Protocol Server (DHCP)
bootpc    68   {tcp, udp}       Bootstrap Protocol Client (DHCP)
http      80   {tcp, udp, sctp} World Wide Web HTTP
pop3      110  {tcp, udp}       Post Office Protocol Version 3
ntp       123  {tcp, udp}       Network Time Protocol
imap2     143  {tcp, udp}       Internet Message Access Protocol
ldap      389  {tcp, udp}       Lightweight Directory Access Protocol
https     443  {tcp, udp, sctp} http protocol over TLS/SSL
urd       465  {tcp}            ssmtp smtps URL Rendesvous Directory for SSM
ldaps     636  {tcp, udp}       ldap protocol over TLS/SSL (was sldap)
rsync     873  {tcp, udp}       rsync
ftps-data 989  {tcp, udp}       File Transfer [Default Data]
ftps      990  {tcp, udp}       File Transfer Protocol [Control]
imaps     993  {tcp, udp}       imap4 protocol over TLS/SSL
pop3s     995  {tcp, udp}       pop3 protocol over TLS/SSL (was spop3)
openvpn   1194 {tcp, udp}       OpenVPN

Notes:

  1. TCP = Transmission Control Protocol
  2. UDP = User Datagram Protocol
  3. SCTP = Stream Control Transmission Protocol
  4. The Bootstrap Protocol was a precursor to DHCP (Dynamic Host Configuration Protocol)

RFC 3330 Special-Use IPv4 Addresses, September 2002

IPv4 uses some of these special addresses for private LANs (Local Area Network)s with NAT (Network Address Translation) used to connect the LANs to the WAN (Wide/World Area Network) via a router. This was required to compensate for the limited address space in IPv4. IPv4 NAT also provide some security benefits by obscuring the private LAN addresses from the public WAN.

IPv6 does not use NAT as its native address space is suffiently large never to require in the foreseeable future.

Another interesting link, IANA https://www.iana.org/protocols


  • Get external IP address wget http://ipinfo.io/ip -qO -
  • To check the current network hardware configuration ip a
  • Systemd common commands (start / stop / restart / status) (enable / disable for boot control)
  • To start (/stop /enable) the bind9 daemon sudo systemctl start bind9
  • To check networking status sudo systemctl status networking
  • List current Systemd operating units: sudo systemctl list-units | grep '*'. Change or remove the grep statement as required.
  • To find where systemd services scripts are located use systemctl show -p FragmentPath nftables
  • To list all systemd services: systemctl list-unit-files, use systemctl list-unit-files –state=enabled to check all enabled. A good reference from DigitalOcean for Systemctl to manage systemd services and units and for journalctl.
  • Some commonly used system services for router setup:
    • bind9.service
    • networking.service
    • isc-dhcp-server.service
    • isc-dhcp-server6.service
  • The journalctl command shows the information stored in the system journal:
    • sudo journalctl -b shows all journal entries collected since current boot
    • journalctl –list-boots lists recorded boots. The default option for Storage is Storage=auto in /etc/systemd/journald.conf. For this option if the directory /var/log/journal is present previous boot log files are saved. Conversely if not present, then previous boot files are not saved. Check man journalctl.conf for details. Use sudo ls -la /var/log/journal to see if directory already exists, sudo mkdir -p /var/log/journal to create directory if not existing, and sudo rm -R /var/log/journal to remove directory and any contents.
    • sudo journalctl -b -1 shows all journal entries collected from a previous boot, -2 from the boot before that, etc. sudo journalctl -b 0 is effectively the same as sudo journalctl -b
    • sudo journalctl -u networking and tends to give more / different format information than sudo systemctl status networking
  • Links to info on the ip and ifconfig commands

Some basic research on Linux Router led me to the following:

Some basic research on NFTables led me to the following

Links relating to bridged and bonded Networking

A bridged network allows different networks to be connected, both physical, like NICs or Wifi and virtual, allowing virtual machine to connect to a physical network and even be assigned a LAN IP address. Bonding allows physical networking devices such as NICs or Wifi to be bonded to allow increased bandwidth or redundancy. Sadly there seems to be alot of information out there that is either for older version of software or other purposing.

  • stosb Explaining My Configs: OpenVPN
  • /mnt/shared/www/dokuwiki/data/pages/linux_router/misc.txt
  • Last modified: 2022-10-08 Sat wk40 18:45
  • by baumkp