Router Miscellaneous

Monitoring

There are a number of linux monitoring packages available. See these links for more examples see, 13 Linux Performance Monitoring Tools – Part 2, and 30 Linux System Monitoring Tools Every SysAdmin Should Know. Below are a few that I have tried and use.

iftop - display bandwidth usage on an interface by host
Use man iftop to see options.
Typical usage: sudo iftop -i br0

nethogs - Net top tool grouping bandwidth per process
Use man nethogs to see options.
Typical usage: sudo nethogs br0

Darkstat – A Web Based Linux Network Traffic Analyser, is a relatively low resource network analyser. It has a web browser interface and can provide the perfornace statistics for the main interconnection as good or better than expected in a packaged router. Another reference: How-to monitor system bandwidth usage statistics with Darkstat on Fedora.

The darkstat output can then be seen on a web browser at 192.168.1.1:667


Like like the references for Debian 12 for glances install are out of date….

Glances Options

The best hot key is 'h' which displays/hides the help screen

Below are the list of several hot keys.

  • a – Sort processes automatically
  • c – Sort processes by CPU%
  • m – Sort processes by MEM%
  • p – Sort processes by name
  • i – Sort processes by I/O rate
  • d – Show/hide disk I/O stats ols
  • f – Show/hide file system statshddtemp
  • n – Show/hide network stats
  • s – Show/hide sensors stats
  • y – Show/hide hddtemp stats
  • l – Show/hide logs
  • b – Bytes or bits for network I/Oools
  • w – Delete warning logs
  • x – Delete warning and critical logs
  • 1 – Global CPU or per-CPU stats
  • h – Show/hide this help screen
  • t – View network I/O as combination
  • u – View cumulative network I/O
  • q – Quit (Esc and Ctrl-C also work)

glances as a service

Setup a systemd file for glances as a local web service sudo vim /lib/systemd/system/glances.service

[Unit]
Description=Glances
Documentation=man:glances(1)
Documentation=https://github.com/nicolargo/glances
After=network.target

[Service]
#ExecStart=/usr/local/bin/glances -w -t 2
ExecStart=/home/baumkp/.local/bin/glances -w -t 2
Restart=on-abort

[Install]
WantedBy=multi-user.target

After modifying a systemd file update systemd: systemctl daemon-reload

The glances output can then be seen on a web browser at 192.168.1.1:61208


I tried ntopng again in December 2023. I ran in a Docker container on my Router, although markedly improved since trying a few years ago this this program suite still uses uses a lot of resources on my router which loads it up close to 50%. There are occasional reports of dropped packet and such, further indicating overload.
I noted a problem with installing the Docker version. The Docker package documentation and defaults are to the latest, yet the available package is listed as stable, e.g. docker run -it -p 3000:3000 –net=host ntop/ntopng:stable -i br0 versus the instructed docker run -it -p 3000:3000 -v $(pwd)/ntopng.license:/etc/ntopng.license:ro –net=host ntop/ntopng:latest -i br0
Another thing I do not like about this package is that the free community version is a significantly cut down of the full paid version. The cost on the paid versions are substantial and I can simply not justify for non-commercial home use. There is no general individual personal free full use version available. The Docker container image is 2GB in size, the biggest image I have seen to date. Seems a bit bloated….
Hence I have decided not to use this software.

tl;dr

Systemd stuff, not relevant with use of Docker version


Docker Setup & Basic Commands

The Docker installation instructions for Ubuntu from Docker Get Docker CE for Ubuntu.

This is pretty old, I played with it circa 2017, and have not used Docker since. I was successfully been using full KVM based VMs for my main machines and so did not have much need for Docker
That being said, I can see the benefits of containerisation, such as Docker, versus full virtual machines, such as KVM. Of course there are also benefits with full VMs!.

In 2022 I revisited Docker and basically have move my various VM applications to Docker containers/ stacks. I run my Docker instance in a VM to isolate Docker from bare metal. This is primarily as Docker plays around with iptables. I do not like this, particularly on my main router machine that I use on bare metal nftables as the router/fire software.

Docker currently by default use iptables on the host machine to allow access to images. Unfortunately the default iptables effectively fully opens up docker on the host, which is probably a significant concern when the host is also used as a router. Docker host can be configured not to update iptables on the host, in this case all routing between the host and Docker images must be performed manually.

Stephank.nl considers IPv6 with Docker and using nftables IPv6 on production Docker

Docker and iptables configuration @startup

Docker and IPtables

Configure iptables for Docker manually and allow Internet access for containers

Debian Firewall when using Docker

Docker container networking

Setting up docker containers with nat

Iptables rule-set so that a docker container can access a service on a host IP

This is old, I played with this circa 2017 and have not used since. I certainly have no interest in Algo IPSEC VPN anymore and have been trying to get Wireguard working recently.

Comparison of VPN protocols

Algo VPN old tl;dr;

Docker Docs Use the Docker command line

OpenVPN server in a Docker container complete with an EasyRSA PKI CA kylemanna/docker-openvpn

How to Geek - How to connect to a VPN from your iPhone


It took me some time to track down this authoritative information, but it was relatively simple as this information is authoritatively define in RFC (Request of Comments) de facto standards as noted below.

IANA Service Name and Transport Protocol Port online Number Registry

RFC 3232 replaced RFC 1700. RFC 3232 states that RFC 1700 has been replaced by an online database, see link given above. RFC 6335 also has information on Port Number Registry and the associated database.

Most Unix like operating systems have a service name database file: /etc/services. It is assumed that nft uses the /etc/services database for named ports definition.

Some ports of interest:

Name      Port Protocols        Description
ftp-data  20   {tcp, udp, sctp} File Transfer [Default Data]
ftp       21   {tcp, udp, sctp} File Transfer Protocol [Control]
ssh       22   {tcp, udp, sctp} The Secure Shell (SSH) Protocol
smtp      25   {tcp, udp}       Simple Mail Transfer
domain    53   {tcp, udp}       Domain Name Server (DNS)
bootps    67   {tcp, udp}       Bootstrap Protocol Server (DHCP)
bootpc    68   {tcp, udp}       Bootstrap Protocol Client (DHCP)
http      80   {tcp, udp, sctp} World Wide Web HTTP
pop3      110  {tcp, udp}       Post Office Protocol Version 3
ntp       123  {tcp, udp}       Network Time Protocol
imap2     143  {tcp, udp}       Internet Message Access Protocol
ldap      389  {tcp, udp}       Lightweight Directory Access Protocol
https     443  {tcp, udp, sctp} http protocol over TLS/SSL
urd       465  {tcp}            ssmtp smtps URL Rendesvous Directory for SSM
ldaps     636  {tcp, udp}       ldap protocol over TLS/SSL (was sldap)
rsync     873  {tcp, udp}       rsync
ftps-data 989  {tcp, udp}       File Transfer [Default Data]
ftps      990  {tcp, udp}       File Transfer Protocol [Control]
imaps     993  {tcp, udp}       imap4 protocol over TLS/SSL
pop3s     995  {tcp, udp}       pop3 protocol over TLS/SSL (was spop3)
openvpn   1194 {tcp, udp}       OpenVPN

Notes:

  1. TCP = Transmission Control Protocol
  2. UDP = User Datagram Protocol
  3. SCTP = Stream Control Transmission Protocol
  4. The Bootstrap Protocol was a precursor to DHCP (Dynamic Host Configuration Protocol)

RFC 3330 Special-Use IPv4 Addresses, September 2002

IPv4 uses some of these special addresses for private LANs (Local Area Network)s with NAT (Network Address Translation) used to connect the LANs to the WAN (Wide/World Area Network) via a router. This was required to compensate for the limited address space in IPv4. IPv4 NAT also provide some security benefits by obscuring the private LAN addresses from the public WAN.

IPv6 does not use NAT as its native address space is sufficiently large never to require in the foreseeable future.

Another interesting links:


  • Get external IP address wget http://ipinfo.io/ip -qO -
  • To check the current network hardware configuration ip a
  • Systemd common commands (start / stop / restart / status) (enable / disable for boot control)
  • To start (/stop /enable) the bind9 daemon sudo systemctl start bind9
  • To check networking status sudo systemctl status networking
  • List current Systemd operating units: sudo systemctl list-units | grep '*'. Change or remove the grep statement as required.
  • To find where systemd services scripts are located use systemctl show -p FragmentPath nftables
  • To list all systemd services: systemctl list-unit-files, use systemctl list-unit-files –state=enabled to check all enabled. A good reference from DigitalOcean for Systemctl to manage systemd services and units and for journalctl.
  • Some commonly used system services for router setup:
    • bind9.service
    • networking.service
    • isc-dhcp-server.service
    • isc-dhcp-server6.service
  • The journalctl command shows the information stored in the system journal:
    • sudo journalctl -b shows all journal entries collected since current boot
    • journalctl –list-boots lists recorded boots. The default option for Storage is Storage=auto in /etc/systemd/journald.conf. For this option if the directory /var/log/journal is present previous boot log files are saved. Conversely if not present, then previous boot files are not saved. Check man journalctl.conf for details. Use sudo ls -la /var/log/journal to see if directory already exists, sudo mkdir -p /var/log/journal to create directory if not existing, and sudo rm -R /var/log/journal to remove directory and any contents.
    • sudo journalctl -b -1 shows all journal entries collected from a previous boot, -2 from the boot before that, etc. sudo journalctl -b 0 is effectively the same as sudo journalctl -b
    • sudo journalctl -u networking and tends to give more / different format information than sudo systemctl status networking
  • Links to info on the ip and ifconfig commands

Some basic research on Linux Router led me to the following:

Some basic research on NFTables led me to the following

Links relating to bridged and bonded Networking

A bridged network allows different networks to be connected, both physical, like NICs or Wifi and virtual, allowing virtual machine to connect to a physical network and even be assigned a LAN IP address. Bonding allows physical networking devices such as NICs or Wifi to be bonded to allow increased bandwidth or redundancy. Sadly there seems to be alot of information out there that is either for older version of software or other purposing.

  • stosb Explaining My Configs: OpenVPN
  • /app/www/public/data/pages/linux_router/misc.txt
  • Last modified: 2023-12-03 Sun wk48 13:58
  • by baumkp