Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Zeitkind

#1
General Discussion / watchdog script in bash
June 27, 2023, 08:55:18 PM
Hiho,
I often need(ed) a script to check for internet connectivity. Some devices offer some kind of, but most of them just try to ping google or similar, not the best idea IMHO. So I made my own, changed it quite often to my needs and use it to monitor connections or to react to failures like restarting a DSL or cable modem or the commonly bad ISP provided plastic box call "WIFI Superduper Highend Router".
Had this problem today, searched for something better, did not found much, so I just drop it here, some might find it useful, hf.
Will have errors, problems, bugs, but well, it's an oooold script and grown over the years.



#!/bin/bash

# v0.6.2 Zeitkind
# Watchdog-script for testing Internet connectivity.
# Runs here on an internal Linux machine, but could be anything that knows bash.
# Script might need to be root, so use cron or sudo to start?
# If connection is down, we can trigger other things, like
# starting a failover line or try reseting the dumb modem / router provided by your ISP
# Have you tried turning it off and on again?
# Cable modems started in routing mode, but should have started in bridging mode
# but line was down and profile from ISP was not loaded - also those funny things.
# ...

# Check for log file and create it
if [ ! -f /var/log/connection-check.log ]; then
touch /var/log/connection-check.log
fi

# Only 1 instance of this script should run
# Check is lock file exists, if not create it and set trap on exit
if { set -C; 2>/dev/null >/tmp/connection-check.lock; }; then
         trap "rm -f /tmp/connection-check.lock" EXIT
else
         echo "Lock file exists... exiting"
         exit
fi

# Counters counts the failed connection-checks with either google.com or the second site, eg. sfr.fr
counter1=0
counter2=0

# Function to reset counters
# If only one connection is successful, we are nevertheless online and can reset both.
# Not needed if we don't run the script as a daemon, we just exit the script then.
reset_counters() {
  counter1=0
  counter2=0
}

# Function to log a message and run a script
#
# If we need to restart our router, we log this and call a script that can power off
# and power on the router (or the cable modem or the cheap switch or everything).
# Use your own script, whatever is needed.
# I have a Tasmota power plug and a script called restart-router.sh
# The cheap plastic router from ISP tends to lock up, so I need to power cycle this pos.
# Tasmota should be able to stack commands with Backlog; didn't work for me though, so we just
# power off, wait some seconds and power on again.
# curl -X POST http://<IP>/cm?cmnd=Power%20off
# sleep 10s
# curl -X POST http://<IP>/cm?cmnd=Power%20on
# Log the restart event
# echo "$(date +"%Y-%m-%d %H:%M:%S") Tasmota: Restarted router." >> /var/log/connection-check.log
#
log_and_restart() {
  echo "$(date +"%Y-%m-%d %H:%M:%S") $1" >> /var/log/connection-check.log
  /usr/bin/restart-router.sh
# Router or Modem needs some time to boot and reconnect, so we wait.
# DSL connections might take quite long to reestablish. Adjust for your needs.
# Remark: Some DSL line ports reset on ISP side if our modem is not powered on for
# several minutes, might help to test if your line port is ancient or bad or often
# crash on ISP side and they don't fix it.
  sleep 5m
}

# Main testing loops. We use wget to check for Google and our provider
# We use 2 tries and wait for the answer, line might be busy.
# This whole script can be called by other scripts or cron, so logging that we are online is optional
# Space in /var/log might be limited anyway, be sure to clean the logs or use logrotate etc.
# Logging failed tests is also optional, remove the #'s to enable the parts you want.

while true; do
  wget -q --tries=2 --timeout=10 --spider http://google.com
# If we reach google, we are online and can just exit the script.
# Change this if you want to run this script as a permanent daemon etc. - not recommended though.
  if [[ $? -eq 0 ]]; then
#    echo "$(date +"%Y-%m-%d %H:%M:%S") Google answers, we are online." >> /var/log/connection-check.log
    exit
  else
    counter1=$((counter1+1));
#    echo "$(date +"%Y-%m-%d %H:%M:%S") Google unreachable $counter1" >> /var/log/connection-check.log;
# For debugging write to console
#    echo $counter1;
  fi

  wget -q --tries=2 --timeout=10 --spider http://sfr.fr
  if [[ $? -eq 0 ]]; then
# If we reach our provider, we are online and we just exit the script.
# But the provider itself might be offline, so we could mod here and fire up a
# different connection or switch to a backup line.
# Some providers offer a special "ping-test-server" to check the connection, might also be
# a possibility. I recommend against using eg. ping 8.8.8.8, Google sometimes just ignores
# pings. Same with 1.1.1.1 or 4.4.4.4 etc. pp.
#    echo "$(date +"%Y-%m-%d %H:%M:%S") SFR answers, we are online." >> /var/log/connection-check.log
    exit
  else
    counter2=$((counter2+1));
#    echo "$(date +"%Y-%m-%d %H:%M:%S") SFR unreachable $counter2" >> /var/log/connection-check.log;
# For debugging write to console
#    echo $counter2;
  fi

# If either of the counters are still zero, i.e. one test was successful, we are online
# and can exit the script, it could be started by cron again etc.
# If the scripts gets modified to run all the time, we need to reset the counters to zero.
# If we just exit, that doesn't matter.
  if [[ $counter1 -eq 0 || $counter2 -eq 0 ]]; then
#    reset_counters
    exit
  fi

# If both connection tests fail 5 times, we seem to be offline.
  if [[ $counter1 -eq 5 && $counter2 -eq 5 ]]; then
    log_and_restart "We seem to be offline, restarting router!"
    if [[ $? -eq 0 ]]; then
      break
    fi
  fi
# We should wait some time before we test again.
# If Internet has just a short hiccup, 30s will be fine.
  sleep 30s
done

# After rebooting the router/modem, Internet should come back, so we test
# We can log this if we want
while true; do
  wget -q --tries=2 --timeout=10 --spider http://google.com
  if [[ $? -eq 0 ]]; then
#    echo "$(date +"%Y-%m-%d %H:%M:%S") Online again!" >> /var/log/connection-check.log;
    exit
  fi

  wget -q --tries=2 --timeout=10 --spider http://sfr.fr
  if [[ $? -eq 0 ]]; then
#    echo "$(date +"%Y-%m-%d %H:%M:%S") Online again!" >> /var/log/connection-check.log;
    exit
  fi

# We are still offline, but restarting the router or modem twice in a short time isn't really the best idea.
# So we wait half an hour, probably the ISP has problems.
# We can log this

#  echo "$(date +"%Y-%m-%d %H:%M:%S") Router restarted, but still offline. Sleeping for 30 minutes"  >> /var/log/connection-check.log;
  sleep 30m
# Waited enough, leave while to re-check.
  break
done

while true; do
  wget -q --tries=2 --timeout=10 --spider http://google.com
  if [[ $? -eq 0 ]]; then
#    echo "$(date +"%Y-%m-%d %H:%M:%S") Online again!" >> /var/log/connection-check.log;
    exit
  fi

  wget -q --tries=2 --timeout=10 --spider http://sfr.fr
  if [[ $? -eq 0 ]]; then
#    echo "$(date +"%Y-%m-%d %H:%M:%S") Online again!" >> /var/log/connection-check.log;
    exit
  fi

# Both tests failed, so we are still offline after about an hour, so we restart the router again.
# We wait 6 hours for the next test, probably the ISP has problems.
# This script was made for a remote place far away, so adjusting the values might be a good idea.
  log_and_restart "Router restarted again. Let's see.."
# Now try again 
  wget -q --tries=2 --timeout=10 --spider http://google.com
  if [[ $? -eq 0 ]]; then
    echo "$(date +"%Y-%m-%d %H:%M:%S") Online again!" >> /var/log/connection-check.log;
    exit
  fi

  wget -q --tries=2 --timeout=10 --spider http://sfr.fr
  if [[ $? -eq 0 ]]; then
    echo "$(date +"%Y-%m-%d %H:%M:%S") Online again!" >> /var/log/connection-check.log;
    exit
  fi
 
# Still offline, so we have to wait again 
echo "$(date +"%Y-%m-%d %H:%M:%S") Router restarted, but still offline. Sleeping now for 6 hours"
  sleep 6h
# Waited enough, leave while to re-check.
  break
done

while true; do
  wget -q --tries=2 --timeout=10 --spider http://google.com
  if [[ $? -eq 0 ]]; then
    echo "$(date +"%Y-%m-%d %H:%M:%S") Online again!" >> /var/log/connection-check.log;
    exit
  fi

  wget -q --tries=2 --timeout=10 --spider http://sfr.fr
  if [[ $? -eq 0 ]]; then
    echo "$(date +"%Y-%m-%d %H:%M:%S") Online again!" >> /var/log/connection-check.log;
    exit
  fi

# We are still offline, now we restart the router after 24h and pray..
  log_and_restart "Router restarted again. Let's see.."
 
# Now try again 
  wget -q --tries=2 --timeout=10 --spider http://google.com
  if [[ $? -eq 0 ]]; then
    echo "$(date +"%Y-%m-%d %H:%M:%S") Online again!" >> /var/log/connection-check.log;
    exit
  fi

  wget -q --tries=2 --timeout=10 --spider http://sfr.fr
  if [[ $? -eq 0 ]]; then
    echo "$(date +"%Y-%m-%d %H:%M:%S") Online again!" >> /var/log/connection-check.log;
    exit
  fi
 
# Still offline, so we have to wait again 
echo "$(date +"%Y-%m-%d %H:%M:%S") Router restarted, but still offline. Sleeping now for 24 hours"
 
  sleep 24h
# Now we don't exit, we just restart our router every 24h.
# "Worked for me."® :D

done



#2
Aber warum?

Versions    OPNsense 21.1.9_1-amd64
FreeBSD 12.1-RELEASE-p19-HBSD
OpenSSL 1.1.1k 25 Mar 2021

Log wird vollgespamt mit

2021-07-29T12:40:26   configctl[3463]   event @ 1627550554.91 msg:   
2021-07-29T12:40:26   configctl[3463]   event @ 1627550554.91 msg:   
2021-07-29T12:40:26   configctl[3463]   event @ 1627550554.91 msg:   
2021-07-29T12:40:26   configctl[3463]   event @ 1627550554.91 msg:   
2021-07-29T12:40:26   configctl[3463]   event @ 1627550554.91 msg:

GUI ist zäh bis unbenutzbar, CPU bei Ecke 100% Auslastung (configctl), Internetanbindung dürftig, aber noch da, nur halt CPU-bedingt übelst. Reboot macht alles wieder heile.

Kennt das jemand? Hatte das früher schon öfters mal auf einem anderen Gerät, aber nie rausgefunden warum. Hab dann mal dort einen automatischen Neustart jedes WE eingestellt und seitdem Ruhe. Heute nu an meiner Hauptanbindung, aber auch kein Hinweis auf Ursache. Aktiv sind noch paar Plugins

os-mail-backup (missing)   
os-acme-client (installed)   
os-api-backup (installed)   
os-clamav (installed)      
os-dmidecode (installed)   
os-dyndns (misconfigured)   
os-hw-probe (installed)      
os-intrusion-detection-content-snort-vrt (installed)
os-lldpd (installed)      
os-mdns-repeater (installed)   
os-smart (installed)      
os-wireguard (installed)   
os-zerotier (installed)

Wobei ich grade noch die zwei gefixt habe
Unregistering plugin: os-mail-backup
Registering plugin: os-dyndns
Glaube aber nicht, daß die Schuld waren, aber wer weiß..
Der LLDPd und MDNS Repeater sind aktuell deaktiviert.
#3
German - Deutsch / RRD Data immer im Backup?
July 09, 2021, 06:56:40 PM
OPNsense 21.1.8_1-amd64
FreeBSD 12.1-RELEASE-p19-HBSD
OpenSSL 1.1.1k 25 Mar 2021

Egal ob Haken oder nicht, in den Backup-xmls landen nu immer RRD-Daten.
Mit Haken: 4,8MB
Ohne Haken: 7,6 MB

Am Ende der xml's stets

<rrddata>
    <rrddatafile>
      <filename>ipsec-packets.rrd</filename>
[ewiglangerASCIIKrempel]...

Mit Haken halt rund 3MB kleinerer ASCII-Block, aber sollte da nicht einfach .. nichts stehen? Oder sind im Backup nu immer irgendwelche RRD-Daten drin?

RRD Daten werden auch ins Nextcloud-Backup gebeamt, nicht nur das manuelle Backup.
#4
General Discussion / shop.opnsense.com kinda broken?
August 17, 2020, 02:31:05 PM
Is-it-only-me or is https://shop.opnsense.com/ kinda broken? If I click on "Appliances", I get.. nothing - https://shop.opnsense.com/#
#5
Moin.

In den Einstellungen "Client Specific Overrrides" bei OpenVPN ist mir aufgefallen, daß "Advanced" als deprecated markiert ist. Nu mache ich da aber meine clientspezifischen Dinge wie ifconfig-push rein um z.B. den Zugriff auf interne IP-Bereiche zu beschränken. Alternativen wären wohl Konfig-Verzeichnisse wie in
https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
beschrieben, aber Zugriff auf ein /etc/openvpn/mein-ccd hat man hier ja gar nicht.
Wie regelt man dann in Zukunft Zugriffsrechte per Client? (A darf nur 192.168.55.10; B darf ganzes 192.168.88.0, C darf alles)
#6
German - Deutsch / Firefox mal wieder..
July 19, 2016, 02:51:34 PM
Frische Installation und Update auf 16.1.18 - Dashboard leer mit Firefox 47.0.1/OS X
Chrome zeigt alles an und man kann die Widgets verschieben etc. Danach Firefox beenden (reload hilft nicht) und noch mal neu anmelden - geht dann auch mit Firefox. Irgendwas klemmt da immer mal wieder mit Firefox, verwirrend, wenn man nur Firefox probiert. Just FYI.
#7
Did not notice L2TP was gone. Checked today and did not find any trace of L2TP/PPTP or PPPoE. Read it was made a plugin a while ago. But it's neither available under VPN nor as a plugin or package. The only installable plugins are os-haproxy, os-helloworld, os-smart, os-vmware and os-xen. So I checked for updates - non. OPNsense 16.7.b_514-i386, FreeBSD 10.2-RELEASE-p19, OpenSSL 1.0.2h 3 May 2016. Checked for errors - none. Tried to update via terminal - none.
Makes me wonder. I think I'm on a dead road atm, because there are already 2 RC's out. Any ideas?
#8
German - Deutsch / Default User..
July 14, 2016, 10:41:16 PM
.. mit vordefinierten Rechten wären nett.

Zum Beispiel:
User "root" - wie gehabt
User "admin" - darf viel, aber keine Konfigurationen ändern. Also Status abfragen, Gerät neustarten, WAN trennen und wieder verbinden.. halt alles, was man einem normalen User per Telefon vor Ort zumuten kann für eine schnelle Diagnose.
User "status" - darf gucken ob alles grün ist, aber sonst nix.
Alternativ auf voreingestelle entsprechende Gruppen. Gruppenberechtigungen selbst zusammenzuklicken ist echt mühsam (warum kann ich nicht alles mit status en bloc auswählen?) und fehlerträchtig.

Nur so mal als Anregung...
#9
16.7 Legacy Series / Firefox nightly..
May 29, 2016, 01:44:03 PM
... seems to be at bit broken atm, dashboard not rendered at all - empty space. Just FYI if anyone uses nightly Firefox builds and wonders if OPNSense has a problem. It's more likely a Firefox problem.
#10
German - Deutsch / CPU Temperatur und coretemp-Modul
April 15, 2016, 02:49:49 PM
Moin!
Als ich vorhin so auf mein Dashboard blickte, ist mir aufgefallen, daß die CPU die gleiche Temperatur (40°C) hatte wie gestern. Gut, kann vorkommen, aber kam mir spanisch vor..
Unter System Health war nur Unsinn, permanent bei 0 - ohne Scala, also unbrauchbar.

Also mal auf's Terminal:

root@fw:~ # sysctl -a | grep "dev.cpu.*.temperature"
_Nichts_
Hmmm.. schlecht.

root@fw:~ # sysctl hw.acpi.thermal
hw.acpi.thermal.tz0._TSP: 60
hw.acpi.thermal.tz0._TC2: 3
hw.acpi.thermal.tz0._TC1: 4
hw.acpi.thermal.tz0._ACx: 73.0C -1 -1 -1 -1 -1 -1 -1 -1 -1
hw.acpi.thermal.tz0._CRT: 75.0C
hw.acpi.thermal.tz0._HOT: -1
hw.acpi.thermal.tz0._PSV: 73.0C
hw.acpi.thermal.tz0.thermal_flags: 0
hw.acpi.thermal.tz0.passive_cooling: 1
hw.acpi.thermal.tz0.active: -1
hw.acpi.thermal.tz0.temperature: 40.0C
hw.acpi.thermal.user_override: 0
hw.acpi.thermal.polling_rate: 10
hw.acpi.thermal.min_runtime: 0

OK, da kommen also die 40°C her. Aber stimmen die? Nö, die CPU is'n Atom, oder? *grübel*

root@fw:~ # sysinfo
sysinfo: Command not found.
root@casimir:~ # pkg install sysinfo
Updating OPNsense repository catalogue...
[..]
pkg: No packages available to install matching 'sysinfo' have been found in the repositories

aargh. Na gut..

root@fw:~ # wget http://distcache.freebsd.org/freebsd:10:x86:64/latest/All/sysinfo-1.0.1_2.txz
wget: Command not found.

*seufz*

root@fw:~ # curl -O http://distcache.freebsd.org/freebsd:10:x86:32/latest/All/wget-1.16.3_1.txz
root@fw:~ # curl -O http://distcache.freebsd.org/freebsd:10:x86:32/latest/All/libidn-1.31.txz
root@fw:~ # wget http://distcache.freebsd.org/freebsd:10:x86:32/latest/All/sysinfo-1.0.1_2.txz
root@fw:~ # wget http://distcache.freebsd.org/freebsd:10:x86:32/latest/All/dmidecode-3.0.txz

So, nu ein sysinfo -a und siehe da:
[..]
Currently loaded kernel modules (kldstat(8)):
fdescfs.ko
[..]
Bootloader settings
The /boot/loader.conf has the following contents:
comconsole_speed="115200"
hw.usb.no_pf="1"
autoboot_delay="3"
[..]

Da fehlt doch was. Mit vi loader.conf angepaßt:

root@fw:~ # cat /boot/loader.conf
coretemp_load="YES"
[..]

Dann ein Reboot.

Jetzt:
root@fw:~ # sysctl -a | grep temperature
hw.acpi.thermal.tz0.temperature: 40.0C
dev.cpu.1.temperature: 23.0C
dev.cpu.0.temperature: 23.0C

Aahh... CPU-Temperaturen!
Und auch im Dashboard wird jetzt nicht mehr 40°C, sondern zwischen 22° und 23°C angezeigt. Die Temperaturanzeige der Atoms ist AFAIR eh ziemlich ungenau, aber jetzt hab ich wenigsten eine grobe Idee wie warm die CPU ist.

Fazit:
- Bitte bitte wget rein.. :D Ich hasse curl (da ich prinzipiell -O vergesse...)
- Bitte sysinfo & dmidecode mit rein, beides liefert einfach am besten eine komplette Übersicht über die Hardware und das System, sicherlich auch praktisch beim Debuggen.
- Irgendwie sollte der Installer erkennen, daß eine neuere CPU läuft und automatisch das coretemp-Modul laden? Bin kein FreeBSD-Experte, aber wie läuft das bei vanilla FreeBSD?
#11
Development and Code Review / SNMP
February 24, 2016, 08:17:38 PM
Hi,
fyi: there are still some remnant of pfsense left in snmp stuff. I see things like "pfSense Packet Disposition", "pfSense State Table Entries", "pfSense State Table Operations", "pfSense Source Node Count" and "pfSense Source Node Operations" when collecting data with openNSM. I guess noone used it? ^^
#12
German - Deutsch / Crash reporter leer
January 29, 2016, 10:45:40 AM
Moin!
nach dem Update gestern zeigt mit das Kistchen, daß ein Problem aufgetreten sei. Nur ist die Seite des Crashreporters (/crash_reporter.php) leider komplett leer..
Die üblichen Unix-Logs unter /var/log zeigen nichts, was mir weiterhelfen könnte - wo finde ich was?
#13
German - Deutsch / kern.maxfiles
October 10, 2015, 08:13:23 PM
Auszug aus dem system.log resp. das Ende davon..

Oct  7 13:37:51 gateway ftp-proxy[50432]: accept failed: Too many open files
Oct  7 13:37:51 gateway ftp-proxy[50432]: accept failed: Too many open files
Oct  7 13:37:51 gateway ftp-proxy[50432]: accept failed: Too many open files
Oct  7 13:37:51 gateway ftp-proxy[50432]: accept failed: Too many open files
Oct  7 13:37:51 gateway ftp-proxy[50432]: accept failed: Too many open files
Oct  7 13:37:51 gateway ftp-proxy[50432]: accept failed: Too many open files
Oct  7 13:37:51 gateway ftp-proxy[50432]: accept failed: Too many open files
Oct  7 13:37:51 gateway ftp-proxy[50432]: accept failed: Too many open files
Oct  7 13:37:51 gateway ftp-proxy[50432]: accept failed: Too many open files
Oct  7 13:37:51 gateway ftp-proxy[50432]: CLO???

Danach (3 Tage..) nichts mehr.

root@gateway:~ # sysctl -a kern.maxfiles
kern.maxfiles: 31434

Hmmm.. Hab zwar schon ein paar Sachen laufen (proxy, captiveportal usw.), aber 31k scheinen nicht zu reichen. Entweder ist das ein Bug(?) oder ich bin mit

root@gateway:~ # sysctl -w kern.maxfiles=250000
kern.maxfiles: 31434 -> 250000

erst mal auf der sichereren Seite, ma guggn. Jemand ähnliche Erfahrungen? Hab jetzt erst mal einen neuen Eintrag bei den System tunables gemacht.
#14
German - Deutsch / Drop lokale Multicast?
August 23, 2015, 10:54:26 AM
Moin.
Mal 'ne Frage: Warum logt opnsense eigentlich den ganzen Multicast-Krempel für das *lokale* Subnetz? Oder hab ich da was übersehen? Also vor allem UDP- und IGMP-Pakete an 224.0.0.1, .251, .252 etc. sowie Lan.255 und 255.255.255.255?
Klar, is nett zu sehen, was so rumspringt im Netz, aber *lokale* Broadcasts sollten doch keinen Paketfilter triggern, denn die sind ja auch nur für das lokale Netz gedacht und sollen auch gar nicht geroutet werden. Wozu also ins Log? Gleiches gälte auch für ffx2::/16 und ggf. ffx5::/16 etc. (link local und site-local).
Ob nu z.B. ein Zeroconf-Dämon auf dem Router horcht und diese Pakete regulär verarbeitet oder nicht spielt ja eigentlich gar keine Rolle, denn diese Pakete sind normaler lokaler Verkehr und sollten vom Router einfach ignoriert werden, auch wenn er selbst keine Verwendung dafür hat. So müllen sie nur das Log voll.
#15
Hi.

Ipsec-connection with 1 tunnel is active and is correctly shown active under status/ipsec. The widget shows 0 (of 2) tunnels active. Anyone else? The widget showed *once* an active tunnel, right after adding it to the index page. After edditing ipsec connections etc. the widget stays at zero active, but shows the correct amount of possible tunnels.