Monitoring Web Usage with Asuswrt-Merlin

[ocram59]

Hello Again
being out of ideas i wanted to verify if for any chance there was a difference for webmon in John' fork or Merlin' firmware
So i installed latest Merlin firmware on my RT-N66u , I did a factory reset, NVRAm restore with John' script and.... webmon still not working ... nothing comes out from /proc/webmon_recent_domains .
Realy not any idea what could be wrong beause other people use WebMon on RT-N66U so it must me something related to my configuration but no idea what it could be

I even tried to reset Merlin Fw to it's default NVRAM valuse, and then just manualy configuring basic WAN connection (so no JFFS at all to be sure that no other configuration or tool was running)
Then I manually launched any webmon needed command.. and the result is still the same.. webmon files are present and up to date under /proc but nothing comes out from them

Thanks in advance for any hint about what I could do

BR
ocraM

 

[mobileman88]

Hello Again
being out of ideas i wanted to verify if for any chance there was a difference for webmon in John' fork or Merlin' firmware
So i installed latest Merlin firmware on my RT-N66u , I did a factory reset, NVRAm restore with John' script and.... webmon still not working ... nothing comes out from /proc/webmon_recent_domains .
Realy not any idea what could be wrong beause other people use WebMon on RT-N66U so it must me something related to my configuration but no idea what it could be

I even tried to reset Merlin Fw to it's default NVRAM valuse, and then just manualy configuring basic WAN connection (so no JFFS at all to be sure that no other configuration or tool was running)
Then I manually launched any webmon needed command.. and the result is still the same.. webmon files are present and up to date under /proc but nothing comes out from them

Thanks in advance for any hint about what I could do

BR
ocraM

Did you turn off "NAT Acceleration" ? You need to turn it off and save, then reboot before turning on webmon

 

[ocram59]

Did you turn off "NAT Acceleration" ? You need to turn it off and save, then reboot before turning on webmon

Hello
Thanks for you feedback
Yes , NAT acceleration is off since long time because I enabled "Per IP Monitoring" and it woks fine since many months.
Thanks alot anyway for your help

BR
ocraM

 

[john9527]

Two thoughts.....

What is the result of
nvram get wan0_ifname

Second....are you running dual stack? What happens if you disable IPv6?

 

[ocram59]

Two thoughts.....

What is the result of
nvram get wan0_ifname

Second....are you running dual stack? What happens if you disable IPv6?

Hello, name is regular eth0

admin@RT-N66U:/tmp/home/root# nvram get wan0_ifname
eth0

Not sure if for dual stack you mean dual wan.. if so.. it is currently disabled. (was enabled long time ago just to test switch on 3g modem as failover)

IPv6 is DISABLED, but on the same config page I see Enable Router Advertisement and Enable DHCPv6 Server both as ENABLED

Thanks alot for your help


ocraM

P.S I switched back to 3.0.0.4.374.43_2-08j9527 because I need wifi features of that fork and nothing changed regarding webmon using Merlin fw.

 

[john9527]

Not sure if for dual stack you mean dual wan.. if so.. it is currently disabled. (was enabled long time ago just to test switch on 3g modem as failover)

IPv6 is DISABLED, but on the same config page I see Enable Router Advertisement and Enable DHCPv6 Server both as ENABLED

By dual stack I meant IPv6+IPv4. This won't capture IPv6 traffic.....but, cross that off.

 

[ocram59]

By dual stack I meant IPv6+IPv4. This won't capture IPv6 traffic.....but, cross that off.

Thanks alot for your help.. very appreciated.

One way or another we will find the reason

 

[ScottW]

@john9527 and @ocram59 --
Most of this discussion is beyond my understanding... But I do see a couple differences in the iptables rules that ocram59 posted, versus the rules that are working for me (also N66u, Rmerlin 378.51). I don't know if this is significant, so I'll just throw it out here for your analysis.

What I have for webmon in iptables --list:

Chain web_monitor (1 references)
target  prot opt source  destination
        tcp  --  anywhere  anywhere  WEBMON --max_domains 2000 --max_searches 2000

What ocram59 posted as having for webmon in iptables --list (different chain name, and extra line starting with "LOG"):

Chain monitor (1 references)
target  prot opt source  destination
LOG    all  --  anywhere  anywhere  state NEW LOG level info prefix `webmon'
       tcp  --  anywhere  anywhere  WEBMON --max_domains 2000 --max_searches 2000

What does that "LOG" line do, and could it have anything to do with the problem?

 

[ocram59]

@john9527 and @ocram59 --
Most of this discussion is beyond my understanding... But I do see a couple differences in the iptables rules that ocram59 posted, versus the rules that are working for me (also N66u, Rmerlin 378.51). I don't know if this is significant, so I'll just throw it out here for your analysis.

What I have for webmon in iptables --list:

Chain web_monitor (1 references)
target  prot opt source  destination
        tcp  --  anywhere  anywhere  WEBMON --max_domains 2000 --max_searches 2000

What ocram59 posted as having for webmon in iptables --list (different chain name, and extra line starting with "LOG"):

Chain monitor (1 references)
target  prot opt source  destination
LOG    all  --  anywhere  anywhere  state NEW LOG level info prefix `webmon'
       tcp  --  anywhere  anywhere  WEBMON --max_domains 2000 --max_searches 2000

What does that "LOG" line do, and could it have anything to do with the problem?

Hello
Thanks, it is really the best thing we could to to compare a working setup with mine

Chain name is different because I followed Joh "how to" in his fork release
Extra LOG line comes from the attempt to log in system log webmon entries
I got it in a post of this thread and I tried to see if for any chance it made a difference

Now I will try again to setup chain name as your and I will remove the extra log iptables entry to see if after a new full rest i can get it working


Thank alot
ocraM

 

[john9527]

I probably shouldn't have made the name change (I changed it in the instructions with my fork to be consistent with tomato, just in case I backport something from them in the future). Just make sure it's consistent....either all 'monitor' or all 'web_monitor'.

 

[ocram59]

I probably shouldn't have made the name change (I changed it in the instructions with my fork to be consistent with tomato, just in case I backport something from them in the future). Just make sure it's consistent....either all 'monitor' or all 'web_monitor'.

I will try it as soon as possible, anyway name seems to be consistent (maybe you remeber we talked about that in the other thread)

Here my firewall-start lines for webmon.. (without the extra log line that I added manually)

if [ -z "$(iptables -n -L FORWARD | grep 'monitor')" ]; then
  modprobe ipt_webmon
  iptables -t filter -N monitor
  iptables -t filter -I FORWARD -o eth0 -j monitor
  iptables -A monitor -p tcp -m webmon --max_domains 2000 --max_searches 2000
fi

I will try again with both names and see if it makes any difference

Thanks

 

[ocram59]

I will try it as soon as possible, anyway name seems to be consistent (maybe you remeber we talked about that in the other thread)

Here my firewall-start lines for webmon.. (without the extra log line that I added manually)

if [ -z "$(iptables -n -L FORWARD | grep 'monitor')" ]; then
  modprobe ipt_webmon
  iptables -t filter -N monitor
  iptables -t filter -I FORWARD -o eth0 -j monitor
  iptables -A monitor -p tcp -m webmon --max_domains 2000 --max_searches 2000
fi

I will try again with both names and see if it makes any difference

Thanks

I changed chain name in the following way :

#Setup WebMon
if [ -z "$(iptables -n -L FORWARD | grep 'web_monitor')" ]; then
  modprobe ipt_webmon
  iptables -t filter -N web_monitor
  iptables -t filter -I FORWARD -o eth0 -j web_monitor
  iptables -A web_monitor -p tcp -m webmon --max_domains 2000 --max_searches 2000
fi

Still not working :-(

Current IP Tables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     udp  --  anywhere             anywhere            udp dpt:51413
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:51413
ACCEPT     tcp  --  192.168.50.0/24      anywhere            tcp dpt:ftp
DROP       tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     udp  --  anywhere             anywhere            udp dpt:https
logdrop    all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc
logdrop    all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination        
web_monitor  all  --  anywhere             anywhere           
ipttolan   all  --  anywhere             anywhere           
iptfromlan  all  --  anywhere             anywhere           
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
logdrop    all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere           
logdrop    all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
DROP       icmp --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5
ACCEPT     all  --  anywhere             anywhere            ctstate DNAT
ACCEPT     all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FUPNP (0 references)
target     prot opt source               destination        

Chain PControls (0 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere           

Chain iptfromlan (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan

Chain ipttolan (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan

Chain logaccept (0 references)
target     prot opt source               destination        
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     all  --  anywhere             anywhere           

Chain logdrop (5 references)
target     prot opt source               destination        
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       all  --  anywhere             anywhere           

Chain web_monitor (1 references)
target     prot opt source               destination        
           tcp  --  anywhere             anywhere            WEBMON --max_domains 2000 --max_searches 2000
admin@RT-N66U:/jffs/scripts#

 

[john9527]

Let's see if this make a difference.

try changing the last line from

iptables -A web_monitor -p tcp....
to
iptables -I web_monitor -p tcp...

 

[ocram59]

Let's see if this make a difference.

try changing the last line from

iptables -A web_monitor -p tcp....
to
iptables -I web_monitor -p tcp...

I changed it:

#Setup WebMon
if [ -z "$(iptables -n -L FORWARD | grep 'monitor')" ]; then
  modprobe ipt_webmon
  iptables -t filter -N web_monitor
  iptables -t filter -I FORWARD -o eth0 -j web_monitor
  iptables -I web_monitor -p tcp -m webmon --max_domains 2000 --max_searches 2000
fi

Here the resulting iptables --list

admin@RT-N66U:/tmp/home/root# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination    
ACCEPT     all  --  anywhere             anywhere       
ACCEPT     udp  --  anywhere             anywhere            udp dpt:https
ACCEPT     all  --  anywhere             anywhere       
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere            udp dpt:51413
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:51413
ACCEPT     tcp  --  192.168.50.0/24      anywhere            tcp dpt:ftp
DROP       tcp  --  anywhere             anywhere            tcp dpt:ftp
logdrop    all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc
logdrop    all  --  anywhere             anywhere       

Chain FORWARD (policy DROP)
target     prot opt source               destination    
web_monitor  all  --  anywhere             anywhere       
ipttolan   all  --  anywhere             anywhere       
iptfromlan  all  --  anywhere             anywhere       
ACCEPT     all  --  anywhere             anywhere       
ACCEPT     all  --  anywhere             anywhere       
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
logdrop    all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere       
logdrop    all  --  anywhere             anywhere       
ACCEPT     all  --  anywhere             anywhere       
DROP       icmp --  anywhere             anywhere       
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5
ACCEPT     all  --  anywhere             anywhere            ctstate DNAT
ACCEPT     all  --  anywhere             anywhere       

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination    

Chain FUPNP (0 references)
target     prot opt source               destination    

Chain PControls (0 references)
target     prot opt source               destination    
ACCEPT     all  --  anywhere             anywhere       

Chain iptfromlan (1 references)
target     prot opt source               destination    
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan

Chain ipttolan (1 references)
target     prot opt source               destination    
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan

Chain logaccept (0 references)
target     prot opt source               destination    
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     all  --  anywhere             anywhere       

Chain logdrop (5 references)
target     prot opt source               destination    
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       all  --  anywhere             anywhere       

Chain web_monitor (1 references)
target     prot opt source               destination    
           tcp  --  anywhere             anywhere            WEBMON --max_domains 2000 --max_searches 2000
admin@RT-N66U:/tmp/home/root#

Still nothing after some minutes and many web accesses from main clien

admin@RT-N66U:/tmp/home/root# cat /proc/webmon_recent_domains
admin@RT-N66U:/tmp/home/root#

I am not an iptables "expert" but I wonder why -A and -I did not change the web_monitor position in FORWARD chain



P.S Upgraded to 3.0.0.4_374.43_2-10j9527 right now

 

[mobileman88]

Hello
Thanks for you feedback
Yes , NAT acceleration is off since long time because I enabled "Per IP Monitoring" and it woks fine since many months.
Thanks alot anyway for your help

BR
ocraM

Thanks alot for your help.. very appreciated.

One way or another we will find the reason

Sorry I can't help more. Having NAT Acceleration turned off fixed the problem for me.

 

[john9527]

Yes , NAT acceleration is off since long time because I enabled "Per IP Monitoring" and it woks fine since many months.

What happens if you turn off 'Per IP Monitoring'? Then make sure NAT Acceleration is also disabled.

 

[ocram59]

Hello
A little progress here and an interesting case to study:

In my normal setup have eth0 with my WAN IP
I also have eth0:0 configured with an IP outside my LAN IP and used only to access Modem.
No need to say that I already tried to remove this configuration and nothing changed for webmon.

But here it is the interesting thing: If I browse towrds the Modem UI (located at 192.168.1.1 whilst my LAN is on 192.168.50.0/24) then... webmon correctly logs this domani !!!

Here my current ifconfig for eth0

eth0       Link encap:Ethernet  HWaddr 50:xx:xx:xx:xx:xx
           inet addr:169.xxx.xxx.xxx  Bcast:169.xxx.xxx.xxx  Mask:255.255.0.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:12061 errors:0 dropped:0 overruns:0 frame:0
           TX packets:12353 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:3980151 (3.7 MiB)  TX bytes:4103795 (3.9 MiB)
           Interrupt:4 Base address:0x2000

eth0:0     Link encap:Ethernet  HWaddr 50:xx:xx:xx:xx:xx
           inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           Interrupt:4 Base address:0x2000

and here it is the webmon tracing access from my PC IP to Modem UI

1427071588      192.168.50.2    192.168.1.1

So we have the evidence that webmon is working and an hint that normal WEB traffic is not monitored because of some conflict in iptables.
I will continue to investigate

 

[ocram59]

What happens if you turn off 'Per IP Monitoring'? Then make sure NAT Acceleration is also disabled.

Hi
unfortunately nothing changes for webmon.
I tried it right now after disabling per ip monitoring and rebooting the router
I checked NAT acceleration before and after reboot and it was disabled

 

[john9527]

I have the same configuration for my modem....here's my ifconfig (you should clear your mac and ip address in your post)

eth0  Link encap:Ethernet  HWaddr D8:XX:XX:XX:XX:XX
  inet addr:68.xxx.xxx.xxx  Bcast:68.xxx.xxx.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:1559700 errors:0 dropped:0 overruns:0 frame:0
  TX packets:952553 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:703689198 (671.0 MiB)  TX bytes:647184768 (617.2 MiB)
  Interrupt:179 Base address:0x4000
eth0:0  Link encap:Ethernet  HWaddr D8:XX:XX:XX:XX:XX
  inet addr:192.168.100.2  Bcast:192.168.100.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  Interrupt:179 Base address:0x4000

The only thing interesting in your ifconfig is that your eth0 address is in 169 subnet.....I wonder if it treats those differently????

 

[ocram59]

I have the same configuration for my modem....here's my ifconfig (you should clear your mac and ip address in your post)

eth0  Link encap:Ethernet  HWaddr D8:XX:XX:XX:XX:XX
  inet addr:68.xxx.xxx.xxx  Bcast:68.xxx.xxx.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:1559700 errors:0 dropped:0 overruns:0 frame:0
  TX packets:952553 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:703689198 (671.0 MiB)  TX bytes:647184768 (617.2 MiB)
  Interrupt:179 Base address:0x4000
eth0:0  Link encap:Ethernet  HWaddr D8:XX:XX:XX:XX:XX
  inet addr:192.168.100.2  Bcast:192.168.100.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  Interrupt:179 Base address:0x4000

Thanks for you hint (silly of me .... )
Good that we have the same configuation for eth0
And for you does webmon tracks any kind of web acces to both "LANs"(eth0 and eth0:0)?