Linksys Router

Warning some of this page is now out of date-I no longer have access to a router running dd-wrt to check this, but am told that it is out of date, and to check the dd-wrt wiki for info. Sorry if I have mislead anyone

After getting back to Bradford after my Christmas hols, the internet was being realy slow. Some of this was down to p2p trafic from my housemates that had returned, but, after extensive tests, we figured that the old linksys router (which is over 5 years old) was dying-the internal interface was fine, but with no load other than ping, it was dropping 5% of packets!
I got a new linksys WRT54gs, and set about configuring it. After a bit of teathing problems and searching, I found dd-wrt a useful firmware, which still has a gui. Because of issues with large flash sizes, I'm still on the minimal package selection, rather than upgrading to the full sized version.
As a fairly default install, it worked fine initialy, but after about 30 min, problems started. Pings to the router were timing out! It was at that point I went and found the settings to change the maximum connections, as the torents that were being run easily reached the 512 max connections default.
To do this:

1. login to web interface
2. Administration -> management
3. scoll to IP Filter settings
4. change value of "maximum ports" To maximum

This solved the slow internal trafic, but some of the clients till had a lot of connections-at one point, a single machine apparently had well over 1000 open simultaneously! A bit more searching, and I found some info about lots of connections on linksys routers
This provided this code:
~ # nvram set rc_startup=" echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo '600 1800 120 60 120 120 10 60 30 120' > /proc/sys/net/ipv4/ip_conntrack_tcp_timeouts"
~ # nvram commit
~ # reboot

So I logged onto the router and ran the above code provided and it was a lot better-no machine had more than a few hundred connections.
Wanting to optimise the connection a little more, I also limited the tcp and udp timeouts to 90s. This is set in the same place as the total number of connections.
To Do:

• Get SNMP working SNMP is now running, and monitoring via cacti, with not too much reconfiguring. Also have ntop cacti monitoring stuff-it provides more detail on ip addresses, and pretty graphs
• Get a limit to connections per IP going

Cacti and Rflow(netflow)

I first came accross cacti while at hcjb, but never actualy played with it till I wanted to try graphing the network here. It basicly draws graphs, based on data in a database, stored in a round robin database (rrd) file. It has the interfaces for you to be able to script the input to them in any format-from snmp traps, or via shell scripts, or even to look at pre-made files, and display the values within.
However, to get the most usefull info about most peoples usage, I needed to look at the data at a packet level for where data is going. DD-WRT has Rflow, which is based on cisco's netflow, providing via UDP information on where packets on the selected interface are going. I wanted to read this into cacti, and had no way of handling. Searching the web I found this howto on netflow and rrdtool which gives a good step by step guide to setting up CUGrapher, a different, perl based rrd graph tool. I followed the instructions for this, up to the point of using CUGrapher.pl, and instead plugged the data into cacti, getting it to read the rrd files.

Netflow config

The howto uses the CUFlow module to analyse the netflow, so using that, I set up "networks" for each of the hosts on the network, so I could get some idea of the traffic flowing to and from them. We run on the 172.25.1.0/24 network/mask, but to get just the trafic for one person, I used a /32 netmask, which provides the required limits
Router 172.25.1.1 router
Network 172.25.1.1##/32 Sam
Network 172.25.1.1##/32 Zorro
Network 172.25.1.1##/32 David
Network 172.25.1.1##/32 Magneto
Network 172.25.1.1##/32,172.25.1.1##/32 Jon-desktop
Network 172.25.1.1##/32 Jon-laptop
Network 172.25.1.1##/32,172.25.1.1##/32 Jaws
Network 172.25.1.1##/32 Rich

Replace ## with the ip address, and name appropriately. With the examples above of Jaws and Jon-desktop, they both have 2 potential IP addresses, so it is set to look at traffic to both.
With this in place, all that now needs to be done is start the netflow dump, and flow-scan, that reads these dumps into rrd files. I now load the data in the rrd files into cacti...

Cacti Stuff

Cacti will read the rrd file, but the problem is, the data in them isnt formated the way that cacti expects. When it creates rrd's from snmp data, it saves incoming data as "traffic_in" and outgoing as "traffic_out". The netflow data, on the other hand is stored as "in_bytes" and "out_bytes", so copying the template for "Interface - Traffic" in cacti, I made "Netflow data" and proceded to enter the data sources for the pc's I had configured in netflow. After about 10 minutes the shape of the graph could begin to be made out
images to follow shortly

To do with cacti

• Count of connections per ip address Some of my housemates have sometimes got torrents and suchlike running, resulting in huge numbers of connections. I want to be able to have some sort of graph of this to show roughly who has a lot going.
  Using the command sed -n 's%.* src=\(172.25.[0-9.]*\).*%\1%p' /proc/net/ip_conntrack | sort | uniq -c > outgoing.count being run by a cron job (I chickened out of editing the nvram to keep it there, and instead added it to the IPv6 startup script) I could dump every 5 mins the number of connections open, counted up for each IP address. This is then read by a perl script count.pl #!/usr/bin/perl
$incomming = `cat /shared/router/incomming.count | grep -w "$ARGV[0]"`;
$incomming =~ s/($ARGV[0])//;
print "$incomming";
This outputs 1 ip address, based on the input to the command.
  With this potential data source, I then set up data templates to read this, and the data is stored to an rrd, and drawn on a graph. Unfortunatly this is a snapshot at the 5min mark, not the average across 5 min, so isn't entirely accurate, but it gives a suggestion to what is happening.
• Build my own set of scripts to read netflow data, and convert it into rrd files within cacti This has info on the work in progress page