Monitoring the number of Ubiquiti sector clients by SSH from Zabbix

On the test I’ll give an example of getting the number of clients connected to the usual sectoral antenna Ubiquiti AirMax Rocket M5.
We will receive the data via SSH.

To test once we connect to the device (the first time when connecting, type yes and press enter):

sudo -u zabbix ssh -p 22 admin@192.168.0.55

Now in Zabbix we add the data element to the template or host, for example with the name “Template Ubiquiti Rocket M5 Sector”:

Name: any
Type: SSH agent
Key: ssh.run[clients,,22,utf8]
Authentication method: Password
Username: NAME
Password: PASSWORD
Executed script: the command executed on the device (see below)

Example of the command displayed the number of connected clients:

wstalist |grep "mac" |wc -l

Accordingly, we create a graph for the data element, as well as the trigger:

Name: On the sector antenna {HOST.NAME} > 40 clients
Expression: {Template Ubiquiti Rocket M5 Sector:ssh.run[clients,,22,utff8].last(#1)}>40

See also:
Configuring SSH checks in Zabbix

Configuring PIM on MikroTik

Here is an example of configuring PIM on two MikroTik routers:

Let us configure the first MikroTik.
Add a pim interface and check:

routing pim interface add
routing pim interface p

Add the IP address of RP (this MikroTik):

routing pim rp add address=IP-ADDRESS

Let’s specify from which IP multicast traffic is allowed:

routing pim interface set alternative-subnets=238.0.0.0/24,239.0.0.0/24

Let’s configure the second MikroTik.
Add a pim interface to the uplink WAN port, I have ether1:

routing pim interface add interface=ether1
routing pim interface p

Add the IP address of the RP (the first MikroTik):

routing pim rp add address=IP-АДРЕС

Let’s specify the route of the multicast source: (first MikroTik):

ip route add 239.0.0.0/24 via IP-АДРЕС

Done.

Configuring the D-Link DES-3528 Switch

Today I configured the next switch D-Link DES-3528.

I will lay out the configuration below and briefly describe it.
When typing commands, you can use the TAB key so that the switch offers options, and after any command through a space, you can write a question mark “?” and see possible subcommands.

To view the current switch configuration, use the command:

show config current_config

Let’s get started.
We connect to the switch with a console cable at the speed of 9600 or at the standard IP address 10.90.90.90 and add the administrator (initially the login without login and password):

create account admin admin

Enable password encryption so that it is not stored in the config file open:

enable password encryption

Add vlan for management and for users (I have 207 core for management, 226 for users, 25 use port as uplink):

create vlan core tag 207
config vlan core add tagged 25
create vlan local_smart tag 226
config vlan local_smart add untagged 1-28
config port_vlan 1-28 acceptable_frame admit_all pvid 226
config vlan default delete 1-28

Change the IP address of the switch and specify the gateway:

config ipif System ipaddress 192.168.0.50/24 vlan core
create iproute default 192.168.0.1 1 primary

Let’s enable the restriction of broadcast traffic on client ports:

config traffic control 1-24,26-28 broadcast enable action drop broadcast_threshold 100 countdown 0 time_interval 5

Enable loop protection on client ports:

enable loopdetect
config loopdetect recover_timer 300 interval 10 mode port-based
config loopdetect log state enable
config loopdetect ports 1-24,26-28 state enable
config loopdetect trap loop_detected

Enable traffic segmentation so that clients do not see each other:

config traffic_segmentation 1-24,26-28 forward_list 25
config traffic_segmentation 25 forward_list 1-24,26-28

We will enable DHCP server locks on the client side so that they do not distribute IP:

config filter dhcp_server ports 1-24,26-28 state enable
config filter dhcp_server illegal_server_log_suppress_duration 30min
config filter dhcp_server trap_log enable

Let’s specify which IPs are allowed to log on to the switch (so that users do not see it):

create trusted_host network 192.168.0.2/32 snmp telnet ssh http https ping
create trusted_host network 192.168.1.5/32 snmp telnet ssh http https ping

Set up SNMP if you need it:

enable snmp
delete snmp community public
delete snmp community private
delete snmp user initial
create snmp community NAME view CommunityView read_only

Turn on the protection against BPDU flood:

enable bpdu_protection
config bpdu_protection recovery_timer 2400
config bpdu_protection log none
config bpdu_protection ports 1-24,26-28 state enable
config bpdu_protection ports 1-28 mode drop

Enable switch protection so that if the processor is fully loaded, you can go to it:

config safeguard_engine state enable utilization rising 100 falling 95 trap_log enable mode fuzzy

If necessary, configure the time synchronization with the NTP server:

enable sntp
config time_zone operator + hour 2 min 0
config sntp primary 10.0.0.18 poll-interval 5000

This completes the basic configuration of the D-Link DES-3528 switch.

SNMP MIBs and OIDs for Ubiquiti PowerBeam 5AC

I wrote a template for Ubiquiti PowerBeam 5AC for Zabbix and explored several basic SNMP OIDs for which you need to draw graphics.
OID tested for devices that are configured in Station mode and with firmware v7.1.4 (XC).

You can check the OID from a Linux command, for example:

snmpwalk -v 1 -c public 192.168.1.20 .1

First of all, I looked at what interfaces there are (if you add VLAN, etc. on the device, their number can be shifted):

snmpwalk -v 1 -c public 192.168.1.20 ifDescr

The next MIBs can read incoming and outgoing traffic (I have LAN eth0 under index 4, WLAN ath0 under 10), for example for LAN traffic:

ifInOctets.4
ifOutOctets.4

Average CPU usage per 1min / 5min / 15min:

1.3.6.1.4.1.10002.1.1.1.4.2.1.3.1
1.3.6.1.4.1.10002.1.1.1.4.2.1.3.2
1.3.6.1.4.1.10002.1.1.1.4.2.1.3.3

TX and RX AP in kilobytes can be found by the following OID:

1.3.6.1.4.1.41112.1.4.7.1.17.1.4.24.214
1.3.6.1.4.1.41112.1.4.7.1.18.1.4.24.214

OID noise can be found by:

1.3.6.1.4.1.41112.1.4.7.1.4.1.4.24.214

Signal strength: 1.3.6.1.4.1.41112.1.4.5.1.5.1
Frequency: 1.3.6.1.4.1.41112.1.4.1.1.4.1
SSID: 1.3.6.1.4.1.41112.1.4.5.1.2.1
Uptime: 1.3.6.1.2.1.1.3.0
Free memory: 1.3.6.1.4.1.10002.1.1.1.1.2.0
Total Memory: 1.3.6.1.4.1.10002.1.1.1.1.1.0
MAC address of the access point to which the device is connected: 1.3.6.1.4.1.41112.1.4.5.1.4.1
The IP address of the access point to which the device is connected: 1.3.6.1.4.1.41112.1.4.7.1.10.1.4.24.214.232.12.159
Antenna type: 1.3.6.1.4.1.41112.1.4.1.1.9.1

See also:
SNMP OID and MIB for interfaces

How to hard reset LG L80 Dual D380

Recently did a hard reset on the LG L80 Dual D380 as it worked slowly and the battery was quickly discharged.

I will describe the order of actions:
1) We’ll turn off the phone.
2) Press the volume down and the power button, when the picture appears holding the volume button, release the power button and back press.
3) The reset menu appears with the volume buttons selected “YES” and the power button confirm “OK”, the second question similarly select “YES” and “OK”.

The phone will reboot and the user data will be cleared and reset to the factory settings, you will have to wait a little, done.

Configuring the D-Link DES-3028 Switch

Today, I configured the next switch D-Link DES-3028, the firmware was 2.94.B07.

And so, connect the console cable to the switch and add the vlan control (I have it 207, 25 port uplink):

create vlan core tag 207
config vlan core add tagged 25

Assign the switch IP address:

config ipif System vlan core ipaddress 192.168.1.2/24 state enable

Let’s specify the default route:

create iproute default 192.168.1.1 1

Add the admin account:

create account admin NAME

Add a client VLAN (I have it 226), specify PVID and remove the standard VLAN:

create vlan local_smart tag 226
config vlan local_smart add tagged 25
config vlan local_smart add untagged 1-24,26-28
disable gvrp
config gvrp 1-28 state disable ingress_checking enable acceptable_frame admit_all pvid 226
config vlan default delete 1-28

Let’s configure protection against broadcast flooding:

config traffic trap both
config traffic control 1-24,26-28 broadcast enable multicast disable unicast disable action drop threshold 64 countdown 5 time_interval 5

Let’s configure the loop protection:

enable loopdetect
config loopdetect recover_timer 3000
config loopdetect interval 10
config loopdetect trap none
config loopdetect port 1-24,26-28 state enabled
config loopdetect port 25 state disabled

Let’s configure traffic segmentation, if it is necessary that users within the switchboard do not see each other:

config traffic_segmentation 1-24 forward_list 25
config traffic_segmentation 25 forward_list 1-24,26-28

Set up the time zone and time synchronization:

enable sntp
config time_zone operator + hour 2 min 0
config sntp primary 192.168.1.1 secondary 0.0.0.0 poll-interval 7000

Let’s specify from what IP the access to WEB, telnet and SNMP of the switch is allowed:

create trusted_host 192.168.1.1
create trusted_host 192.168.5.20

Let’s configure the protection from DOS:

disable dos_prevention trap_log
config dos_prevention dos_type land_attack action drop state enable
config dos_prevention dos_type blat_attack action drop state enable
config dos_prevention dos_type smurf_attack action drop state enable
config dos_prevention dos_type tcp_null_scan action drop state enable
config dos_prevention dos_type tcp_xmascan action drop state enable
config dos_prevention dos_type tcp_synfin action drop state enable
config dos_prevention dos_type tcp_syn_srcport_less_1024 action drop state disable

For IP-MAC-Port Binding functions, we allow IP 0.0.0.0 (under it Windows tries to get IP):

config address_binding ip_mac ports 1-28 state disable allow_zeroip enable forward_dhcppkt enable

Configuring SNMP:

delete snmp community public
delete snmp community private
delete snmp user initial
create snmp community TEXT view CommunityView read_write
create snmp community TEXT view CommunityView read_only
config snmp system_name TEXT
config snmp system_location TEXT
config snmp system_contact TEXT

Let’s configure protection from third-party DHCP servers:

config filter dhcp_server ports 1-24,26-28 state enable
config filter dhcp_server trap_log enable
config filter dhcp_server illegal_server_log_suppress_duration 30min

From third-party DHCP servers can also be protected through ACL:

create access_profile ip udp src_port 0xFFFF profile_id 1
config access_profile profile_id 1 add access_id 1 ip udp src_port 67 port 25 permit
config access_profile profile_id 1 add access_id 2 ip udp src_port 67 port 1-24,26-28 deny

We will configure protection against BPDU of garbage:

config bpdu_protection ports 1-24,26-28 mode drop

Turn on the function SAFEGUARD_ENGINE, so you can go to the switch at 100% CPU utilization:

config safeguard_engine state enable utilization rising 100 falling 95 trap_log enable mode fuzzy

Fine-Tuning FDB:

config fdb aging_time 300
config multicast port_filtering_mode 1-28 filter_unregistered_groups
disable flood_fdb
config flood_fdb log disable trap disable

Other small settings:

config serial_port baud_rate 9600 auto_logout 10_minutes
enable password encryption
config terminal_line default
enable clipaging
disable command logging
enable password_recovery
enable syslog
config log_save_timing on_demand

Done.