Cisco Aironet 1242 and the Nest Learing Thermostat

I've been having issues with the Nest reporting 'Offline' every hour or so within the app. The thermostat would comeback 'Online' if I deliberately moved in front of it or otherwise woke it up. I realized this issue must be related to the device sleeping to conserve power. I use a Cisco Aironet 1242 WAP for my home wireless and decided to dig into it's configuration. After many failed debugging and configuration attempts, I think the issue has finally be solved by adding the following configuration item:

beacon dtim-period 3

I also set the speeds to 802.11g standards and the activity-timeout to 600.

speed basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

dot11 activity-timeout unknown default 600

dot11 activity-timeout client default 600 maximum 600

The DTIM-period is how often the a wireless client in power save mode should check a buffer for data. The Cisco default is 2, which tells the client check after every other beacon. Increasing this value to 3 seems to work the best with the Nest.


More »

Bind Query Logging to Splunk from pfSense

I wanted to add a secondary DNS server (NS2) to my home network as a backup to the primary DNS server (NS1) to provide redundancy in case there is a connectivity issue with the primary (NS1). I went ahead and installed the Bind package on my pfSense gateway via web GUI and configured it as a Slave server. You need to configure a 'View' on the Bind server for zone transfers or look-ups to work. view

Alt text View settings. A simple, get-it-to-work setup

After configuring a View and a new Zone, zone transfers from my primary DNS server started to work along with queries. At this point, and after a minor tweak to the DHCP server, I had accomplished what I needed.

Then I thought I'd take it a step further. I'm already logging queries from NS1 to Splunk, so why not log NS2 queries as well? This way I can monitor when NS2 is being used and which devices are making queries. Logging on pfSense is done simply with syslogd and is not very configurable via the web GUI. I needed to get creative with how I setup Bind logging since pfSense is already sending firewall events to Splunk over standard UDP 514 (That is another blog post in itself).

There are two major issues I needed to overcome to make this work. First, I needed to get syslogd working inside the Bind (named) jail that pfSense creates. This was as simple as adding '-l /cf/named/var/run/log' to the syslogd_flag in /etc/defaults/rc.conf. On FreeBSD, '-l' specifies where syslogd should put additional log sockets, required when using syslogd within a chroot jail.

syslogd_flags="-s -l /cf/named/var/run/log" # Flags to syslogd (if enabled).

Second, Bind needed to be configured to log via syslog but because the pfSense web GUI is responsible for generating the named.conf, editing this file via the command line is not recommend. The Bind settings screen allows for additional custom Options to be inserted into the options section of the configuration file. By adding a "};" before the logging stanza, you essentially close the Options stanza and insert Logging or any other configuration. The web GUI will add the closing "};" which is why it's omitted from the screenshot below.

Alt text

To complete the setup, added an entry to syslog.conf to pass all local6 log entries to the Splunk server.

Alt text

More »

Updating Splunk DHCP App MAC Address List

Alt text

UPDATE: I discovered that the IEEE OUI list is much more comprehensive. I've update the script to parse this file instead.

I've been using Splunk to monitor my DHCP server with Linux DHCP for some time now. It provides good insight into the devices connecting to my network and how often IP address are being requested. The one issue I noticed with the app was the short list of MAC OUI (Organizational Unique Identifier, the first 24-bits of a MAC address). The app uses a CSV file of MAC address and the assigned organization, but this file is not comprehensives and is missing many manufactures. This causes some inaccurate graphs when using the app.

I wrote a Python script to take the IEEE manufacturer database and convert it to the correctly formatted CSV file for Linux DHCP. The script outputs dhcpd_mac-vendorname.csv which can be placed in $SPLUNKHOME/etc/apps/dhcpd/lookups for use by the Splunk app.

You can grab the Python script from GitHub

More »