[ previous ] [ next ] [ threads ]
 
 From:  Chris Taylor <chris at x dash bb dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Monitoring m0n0wall boxes
 Date:  Mon, 23 Jan 2006 03:23:33 +0000
Mark Wass wrote:
> Could you please elaborate a little more on what you had to do on the 
> monowall boxes to be able to do an SNMPWALK from a remote machine over 
> the IPSEC tunnel?
> 
Setup is:

    My m0n0wall                    Remote m0n0wall (one of)
LAN: 192.168.0.1/24 ---- IPSec ---- LAN: 192.168.8.5/24
      |
      |
Logs/Graphing Server
192.168.0.2/24

The IPSec tunnels are setup as normal, nothing special involved at 
either end.

At the remote end, Logging to a Syslog server is turned on and sent to 
192.168.0.2. The relevant bits of my Syslog-ng conf are:

source net { udp(); };

destination hosts {

file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY"
         owner(root) group(root) perm(0600) dir_perm(0700) 
create_dirs(yes));
};

log {
         source(net);
         destination(hosts);
};


SNMP is enabled on a private community. This is used by ifgraph, where 
you just set the IP and community name. One of ifgraph's supplied 
scripts allows you to test the remote SNMP host and this gives you the 
interface numbers for the config file.

With the 1.20 release, I had to use static routes at both ends for this 
to work. It's mentioned in one of the FAQs but it took me a while to 
work out :)

At my end:
IF: LAN, Dest: 192.168.8.4/31, GW: 192.168.0.1

Remote end:
IF: LAN, Dest: 192.168.0.2/31, GW: 192.168.8.5

With 1.21 a checkbox was added to the services_snmp.php page:
Bind to LAN interface only
This option can be useful when trying to access the SNMP agent by the 
LAN interface's IP address through a VPN tunnel terminated on the WAN 
interface.

Tick that and you can dump the static routes. Thanks to whoever added 
that little box and the magic behind it :)

I have no trouble with reliability and VPN links are often up for weeks 
on end. If anyone has any thoughts on what to do with the logs, I'd like 
to hear them.

Cheers,
Chris

 > Chris Taylor wrote:
 >
 >> Hi,
 >>
 >> I'm responsible for several m0n0walls installed at remote locations. 
I have set each of them up to use SNMP and to send syslog messages to a 
machine at my main site.
 >>
 >> At the main site, I use ifgraph/rrdtool to produce bandwidth graphs 
for all of the other m0n0 boxes. This provides a very easy-to-use method 
of connection monitoring - you can see how long the link went down for 
and when.
 >>
 >> This is all done via IPSec VPN between the m0n0walls - so all the 
SNMP/log traffic is encrypted. If the link is dropped, m0n0 will try to 
reestablish it.
 >>
 >> Works quite nicely IMO, I'm looking for ways to improve it though :)
 >>
 >> Chris Taylor
 >>