Messages

1

Tutorials and FAQs / Re: [SCRIPT] Webhook notify of internet connectivity loss on specific interface

« on: August 04, 2023, 12:26:36 pm »

Made a V2 I'm testing that support Discord and Home Assistant targets with multiple URLS for each.

Also the options to choose which notifications to send to Discord, and which to send to Home Assistant, as well as the ability to remember last state of the connection.

Fun working on this... hope someone else can use it.

Pastebin Link

2

Tutorials and FAQs / [SCRIPT] Webhook notify of internet connectivity loss on specific interface

« on: August 04, 2023, 07:05:30 am »

This may (or may not) be of use for others.

I made this for my own requirements (ie monitor backup 5G modem which has a habit of locking up, then telling Home Assistant via webhook automation to turn the smart plug off then back on).

Can be run standalone or in background. Pastebin link here.

I made this to ideally run in the background as a cronjob - and the script will check to ensure no other variants of the script are running and will exit gracefully if it detects the lock file.

For standlone, you can run it with options to specify the desired ping IP address and DNS check address. For example:

Code: [Select]

./internet_monitor.sh -p 1.1.1.1 -d example.com
This will monitor internet connectivity using 1.1.1.1 as the ping IP address and DNS resolution using example.com as the DNS check address. If you don't provide any options, the script will use the default addresses (8.8.8.8 and github.com).

NOTE: Updated to support multiple Webhook URL targets.

Code: [Select]

#!/bin/bash

# Default values for options
PING_IP="8.8.8.8"      # Default ping IP address (Google DNS)
DNS_CHECK_ADDRESS="github.com"  # Default DNS check address
INTERFACE="eth0"      # Replace with your Ethernet interface name (e.g., eth0)
WEBHOOK_URLS="YOUR_WEBHOOK_URL"  # Default webhook URL(s) (comma-separated)
ENABLE_RESTORE_NOTIFICATION=true   # Set this to false if you want to disable the notification when connectivity is restored
LOCK_FILE="/tmp/internet_monitor.lock" # Define the lock file path

# Function to acquire the lock
acquire_lock() {
    if [[ -e "$LOCK_FILE" ]]; then
        echo "Lock file exists. Script is already running or a previous run didn't finish."
        exit 1
    fi
    touch "$LOCK_FILE"
}

# Function to release the lock
release_lock() {
    rm -f "$LOCK_FILE"
}

# Function to send a webhook notification
send_webhook_notification() {
    local message="$1"
    local urls=($(echo "$WEBHOOK_URLS" | tr ',' ' '))  # Convert comma-separated URLs to an array
    for url in "${urls[@]}"; do
        curl -X POST -H "Content-Type: application/json" -d "{\"text\":\"$message\"}" "$url"
    done
}

# Function to check internet connectivity
check_internet_connectivity() {
    local ip_address="$1"
    if ping -I "$INTERFACE" -c 1 "$ip_address" &> /dev/null; then
        return 0  # Internet connectivity is available
    else
        return 1  # Internet connectivity is not available
    fi
}

# Function to check DNS resolution
check_dns_resolution() {
    local dns_address="$1"
    if ping -I "$INTERFACE" -c 1 "$dns_address" &> /dev/null; then
        return 0  # DNS resolution is successful
    else
        return 1  # DNS resolution failed
    fi
}

# Main function to monitor internet connectivity and DNS resolution
main() {
    if ! check_internet_connectivity "$PING_IP"; then
        # Internet connectivity is not available, send webhook notification with a specific payload
        message="Internet connectivity is down on $INTERFACE at $(date)"
        send_webhook_notification "$message" "connectivity_down"
    elif ! check_dns_resolution "$DNS_CHECK_ADDRESS"; then
        # DNS resolution failed, send webhook notification
        message="DNS resolution failed on $INTERFACE at $(date)"
        send_webhook_notification "$message" "dns_failure"
    else
        # Internet connectivity and DNS resolution are both successful
        if $ENABLE_RESTORE_NOTIFICATION; then
            # Internet connectivity is restored, send webhook notification with a specific payload
            message="Internet connectivity restored on $INTERFACE at $(date)"
            send_webhook_notification "$message" "connectivity_restored"
        fi
    fi
}


# Function to display usage information
usage() {
    echo "Usage: $0 [-p ping_ip_address] [-d dns_check_address] [-w webhook_urls]"
    echo "Options:"
    echo "  -p ping_ip_address       Specify the IP address for internet connectivity check (default: 8.8.8.8)"
    echo "  -d dns_check_address     Specify the DNS address for DNS resolution check (default: github.com)"
    echo "  -w webhook_urls          Specify one or multiple webhook URLs as a comma-separated list"
    exit 1
}

# Parse command-line options using getopts
while getopts ":p:d:w:" opt; do
    case "$opt" in
        p) PING_IP=$OPTARG ;;
        d) DNS_CHECK_ADDRESS=$OPTARG ;;
        w) WEBHOOK_URLS=$OPTARG ;;
        \?) echo "Invalid option: -$OPTARG" >&2 ; usage ;;
        :) echo "Option -$OPTARG requires an argument." >&2 ; usage ;;
    esac
done

# Acquire the lock before starting the main loop
acquire_lock

# Run the main loop
while true; do
    main
    sleep 1m  # Adjust the time interval as needed for internet connectivity and DNS resolution checks
done

# Release the lock when the script exits
release_lock


3

23.7 Legacy Series / Re: DHCP Friendly Name (without static IP)

« on: August 03, 2023, 08:14:43 am »

Yes I tried this. As per above:

Now I have two entries showing for the device in the leases list.

- One has no hostname or description but has a dynamic IP.
- The other has a hostname and description, but shows static and displays no IP address.

Ideally for this to be beneficial for my needs it would show as one combined device.

4

23.7 Legacy Series / Re: DHCP Friendly Name (without static IP)

« on: August 03, 2023, 06:23:35 am »

See the attached images (dark background) as an example from how Unifi Networks does it. The "Friendly Name" is at the top : "myQ Bridge" which I can set to whatever I want (as per image 2).

I can leave them as dynamic (ie Fixed IP Address is disabled) and they show up everywhere in the interface with their friendly name.

Also see the attached image from Firewalla (a firewall vendor using ubuntu base) where once given a name, it is very easy to apply groups, policies, restrictions, routes etc to this specific device even without a static IP address.

This is what I'm looking for.

5

23.7 Legacy Series / Re: DHCP Friendly Name (without static IP)

« on: August 02, 2023, 10:55:07 pm »

I just prefer it. If I knew how to code this I would and I’d put in a pull request. This would be an option for people to manage their own environment the way they want rather than being forced to move to static addressing. The D in DHCP is there for a reason

6

23.7 Legacy Series / Re: DHCP Friendly Name (without static IP)

« on: August 02, 2023, 03:07:13 pm »

Services -> DHCPv4 -> [LAN]   

Scroll down to DHCP Static Mappings...


https://prnt.sc/rhlfn5yjks9o

Thanks - but they are static mappings and I'd like them to be dynamic IP assignments just with friendly names.

7

23.7 Legacy Series / Re: DHCP Friendly Name (without static IP)

« on: August 02, 2023, 08:50:06 am »

As in a static reservation (sorry if that's not what you mean)? I want the IP address to remain dynamic, but have the manually set Hostname or Friendly Name show up in DHCPv4 leases list.

Edit:
I setup a hostname and description for a device in DHCPv4 Leases and left the IP address field blank.

Now I have two entries showing for the device in the leases list.

- One has no hostname or description but has a dynamic IP.
- The other has a hostname and description, but shows static and displays no IP address.

Ideally for this to be beneficial for my needs it would show as one combined device.

8

23.7 Legacy Series / DHCP Friendly Name (without static IP)

« on: August 02, 2023, 04:19:10 am »

This may have been asked before, but it would be great to have the ability to map friendly names to MAC addresses in the system for help in identifying devices.

This is a feature that is present in many if not all consumer routers, Unifi management, Firewalla etc etc

Ideally an ability to do one, some or all of the following based on MAC address:
1. Replace or provide the hostname of a device.
2. Provide a Friendly Name in the "Description" field of a device.
3. "Tag" or "Categorise" the device i.e. as a "Known" device (could be useful for alerts on new devices connecting).

I don't want to have to use static addresses to achieve this.

Thanks,
Shane.

9

Zenarmor (Sensei) / Re: Question - Policy to apply to a VLAN

« on: August 02, 2023, 02:44:11 am »

One of them is enough. You can select the interface to apply or just write VLAN ID in the VLAN field. You don't need to add both of them.

Thankyou! Also the rest of the info is very helpful.

Any chance the "one of them is enough" can be added to the guide on setting policies up - then dumb people like me won't have to ask the question again

10

General Discussion / Re: Web app "wrapper" for OPNSense possibly using Wireguard?

« on: August 01, 2023, 02:46:18 pm »

Make sure the DNS servers specified in the WireGuard profile (if any) are included in the allowed IPs (if different from the OPNsense management IP).

Removing the DNS from the client profile altogether seemed to work - I'm connecting to the management interface via IP:Port anyway - no DNS required.

 I've now set it via "on-demand" to enable when on cellular and wifi (excluding my home SSID) and it looks like it will do most of what I was looking for.

Thanks.

11

General Discussion / Re: Web app "wrapper" for OPNSense possibly using Wireguard?

« on: August 01, 2023, 01:07:16 pm »

That just makes it so the only thing I can access when it’s connected is the OPNsense Management IP.

All other traffic stops.

12

General Discussion / Re: Web app "wrapper" for OPNSense possibly using Wireguard?

« on: August 01, 2023, 10:52:37 am »

It would give me a secure VPN connection only for that app to my router admin rather than the whole mobile OS.

Currently the web browser requires me to securely connect to my home network via VPN then open a web browser, all the while all of my other apps and services get redirected via my home internet.

Tailscale is not bad but this “app” would be easier and potentially could have a persistent connection allowing alerts and notifications.

13

General Discussion / Web app "wrapper" for OPNSense possibly using Wireguard?

« on: August 01, 2023, 09:04:07 am »

Update: Use the Wireguard app to do it.

As per below:
1. Set the client profile "Allowed IPs" to your OPNsense Management IP (ie 192.168.1.1/32)
2. Do not include anything in the "DNS Servers" section of the Client config.
3. Enable Cellular and Wi-Fi "On-Demand Activation"
4. Under On-Demand Wi-Fi section, change "Any SSID" to "Except these SSIDs" and select the Wi-Fi SSID which resides on the same network as your OPNsense Firewall.

Thankyou Maurice!

I know there isn't a native app for OPNSense management, but I'm wondering if this concept would work?

1. Someone more amazing and skilled than me creates an iOS and Android app.
2. App is a Web app wrapper (ie once connected it just displays the default OPNsense admin UI).
3. Possibly use Wireguard embedding https://www.wireguard.com/embedding/ to secure the connection direct to the OPNsense router. ie step the user through connecting it to the OPNsense wireguard server then present the management ui.

Think of it like a web browser app with wireguard built in that allows you to connect to your own vpn host.

Ultimately it should use an underlying app-specific vpn connection to the router to allow remote management.

Maybe I'm dreaming....

Thoughts?

14

23.7 Legacy Series / NGINX security headers (link to 23.1 post)

« on: July 31, 2023, 10:43:10 pm »

This “issue” remains under 23.7 so thought I’d link to it here https://forum.opnsense.org/index.php?topic=35100.0

Happy for admin to move that post to this 23.7 forum and delete this post.

Any help would be appreciated.
Thanks.

15

Zenarmor (Sensei) / Question - Policy to apply to a VLAN

« on: July 31, 2023, 08:16:47 am »

Might be a stupid question but trying to understand how everything works.

I'm setting up policies in zenarmor and I want different policies to apply to different VLANs.

If I'm setting up a policy in zenarmor and I want it to only apply to VLAN 50, do I select both the Interface it is on as well as putting in the VLAN? Or do I just enter the VLAN and not select the interface as well?

Thanks,
Shane.