search

jokob-sk / NetAlertX

🖧🔍 WIFI / LAN intruder detector. Scans for devices connected to your network and alerts you if new and unknown devices are found.
GNU General Public License v3.0
2.84k stars 163 forks source link

Unable to scan other subnets #257

Closed s33d1ing closed 1 year ago

s33d1ing commented 1 year ago

I have a Ubiquiti Dream Machine Pro with multiple networks (VLANs) set up but they are not isolated (i.e. devices on separate VLANs can ping each other). I set up Pi.Alert using a Host network on my Pi with IP address 172.27.10.30. The Pi can ping and nmap scan devices on 172.27.0.0 and 192.168.0.0 however Pi.Alert can only detect devices on 172.27.0.0, not on 192.168.0.0. I tried adding "--vlan" to the end of the 192.168.0.0 subnets in the SCAN_SUBNETS property but it made no difference. Does anyone have any insight?

Paste last few lines from pialert.log

You can use tail -20 /home/pi/pialert/front/log/pialert.log

18:55:24 [Update Device Name] Trying to resolve devices without name
18:55:24 [Update Device Name] Pholus entries from prev scans: 479
18:55:25 [Update Device Name] Names Found (DiG/Pholus): 0 (0/0)
18:55:25 [Update Device Name] Names Not Found         : 12
18:55:25 [Process Scan] Voiding false (ghost) disconnections
18:55:25 [Process Scan] Pairing session events (connection / disconnection) 
18:55:25 [Process Scan] Creating sessions snapshot
18:55:25 [Process Scan] Inserting scan results into Online_History
18:55:25 [Process Scan] Skipping repeated notifications
18:55:25 [Skip Repeated Notifications] Skip Repeated start
18:55:25 [Skip Repeated Notifications] Skip Repeated end
18:55:25 [Notification] Check if something to report
18:55:25 [Notification] Open text Template
18:55:25 [Notification] Open html Template
18:55:25 [Notification] included sections: ['internet', 'new_devices', 'down_devices', 'events']
18:55:25 [Notification] Internet sections done.
18:55:25 [Notification] New Devices sections done.
18:55:25 [Notification] Down Devices sections done.
18:55:25 [Notification] Events sections done.
18:55:25 [Notification] No changes to report
18:55:25 [Notification] Notifications changes: 0
18:55:25 [MAIN] Last action: internet_IP
18:55:25 [MAIN] cycle:
18:55:25 [MAIN] Process: Wait
18:55:30 [API] Update API starting
18:55:30 [API] Updating table_pholus_scan.json file in /front/api
18:55:30 [Internet IP] Check Internet IP started
18:55:30 [Internet IP] - Retrieving Internet IP
18:55:30 [Internet IP] IP:      X.X.X.X
18:55:30 [Internet IP]    Retrieving previous IP:
18:55:30 [Internet IP]      X.X.X.X
18:55:30 [Internet IP]    No changes to perform
18:55:30 [DDNS]     Skipping Dynamic DNS update
18:55:30 [MAIN] cycle:1
18:55:30 [Network Scan] Scan Devices:
18:55:30 [Network Scan] arp-scan start
18:56:28 [Network Scan] arp-scan ends
18:56:28 [Network Scan] Pi-hole start
18:56:28 [Network Scan] DHCP Leases start
18:56:28 [Process Scan]  Processing scan results
18:56:28 [Process Scan] Print Stats
18:56:28 [Scan Stats]    Devices Detected.......: 32
18:56:28 [Scan Stats]        arp-scan detected..: 29
18:56:28 [Scan Stats]        Pi-hole detected...: +0
18:56:28 [Scan Stats]        New Devices........: 0
18:56:28 [Scan Stats]    Devices in this cycle..: 32
18:56:28 [Scan Stats]        Down Alerts........: 0
18:56:28 [Scan Stats]        New Down Alerts....: 0
18:56:28 [Scan Stats]        New Connections....: 0
18:56:28 [Scan Stats]        Disconnections.....: 1
18:56:28 [Scan Stats]        IP Changes.........: 0
18:56:28 [Process Scan] Stats end
18:56:28 [Process Scan] Updating DB Info
18:56:28 [Process Scan] Sessions Events (connect / discconnect)
18:56:28 [Process Scan] Creating new devices
18:56:28 [Process Scan] Updating Devices Info
18:56:28 [Mac Vendor Check] Error: b''
18:56:28 [Process Scan] Resolve devices names
18:56:28 [PholusScan] Scan: Pholus for 120s (2.0min)
18:56:28 [PholusScan] Pholus scan on [interface] eth0 [mask] 172.27.10.0/24
18:56:51 [PholusScan] Scan: Pholus SUCCESS
18:56:51 [PholusScan] Scan: Pholus for 120s (2.0min)
18:56:51 [PholusScan] Pholus scan on [interface] eth0 [mask] 172.27.20.0/24
18:57:33 [PholusScan] Scan: Pholus SUCCESS
18:57:34 [PholusScan] Scan: Pholus for 120s (2.0min)
18:57:34 [PholusScan] Pholus scan on [interface] eth0 [mask] 172.27.30.0/24
18:58:17 [PholusScan] Scan: Pholus SUCCESS
18:58:17 [PholusScan] Scan: Pholus for 120s (2.0min)
18:58:17 [PholusScan] Pholus scan on [interface] eth0 [mask] 192.168.86.0/24
18:59:00 [PholusScan] Scan: Pholus SUCCESS
18:59:00 [PholusScan] Scan: Pholus for 120s (2.0min)
18:59:00 [PholusScan] Pholus scan on [interface] eth0 [mask] 192.168.96.0/24
18:59:13 [PholusScan] Scan: Pholus SUCCESS

Paste your pialert.conf (remove personal info)

#-----------------AUTOGENERATED FILE-----------------#
#                                                    #
#         Generated:  2023-06-19_17-46-03            #
#                                                    #
#   Config file for the LAN intruder detection app:  #
#      https://github.com/jokob-sk/Pi.Alert          #
#                                                    #
#-----------------AUTOGENERATED FILE-----------------#

# General
#---------------------------
ENABLE_ARPSCAN=True
SCAN_SUBNETS=['172.27.10.0/24 --interface=eth0','172.27.20.0/24 --interface=eth0','172.27.30.0/24 --interface=eth0','192.168.86.0/24 --interface=eth0','192.168.96.0/24 --interface=eth0']
LOG_LEVEL='verbose'
TIMEZONE='America/Chicago'
ENABLE_PLUGINS=True
PIALERT_WEB_PROTECTION=False
PIALERT_WEB_PASSWORD='####'
INCLUDED_SECTIONS=['internet','new_devices','down_devices','events']
SCAN_CYCLE_MINUTES=5
DAYS_TO_KEEP_EVENTS=90
REPORT_DASHBOARD_URL='http://pi.alert'
DIG_GET_IP_ARG='-4 myip.opendns.com @resolver1.opendns.com'
UI_LANG='English'
UI_PRESENCE=['online','offline','archived']

# Email
#---------------------------
REPORT_MAIL=True
SMTP_SERVER='####'
SMTP_PORT=587
REPORT_TO='####'
REPORT_FROM='####'
SMTP_SKIP_LOGIN=False
SMTP_USER='####'
SMTP_PASS='####'
SMTP_SKIP_TLS=False
SMTP_FORCE_SSL=False

# Webhooks
#---------------------------
REPORT_WEBHOOK=False
WEBHOOK_URL='http://n8n.local:5555/webhook-test/aaaaaaaa-aaaa-aaaa-aaaaa-aaaaaaaaaaaa'
WEBHOOK_PAYLOAD='json'
WEBHOOK_REQUEST_METHOD='GET'

# Apprise
#---------------------------
REPORT_APPRISE=False
APPRISE_HOST='http://localhost:8000/notify'
APPRISE_URL='mailto://smtp-relay.sendinblue.com:587?from=user@gmail.com&name=apprise&user=user@gmail.com&pass=password&to=user@gmail.com'
APPRISE_PAYLOAD='html'

# NTFY
#---------------------------
REPORT_NTFY=False
NTFY_HOST='https://ntfy.sh'
NTFY_TOPIC='replace_my_secure_topicname_91h889f28'
NTFY_USER='user'
NTFY_PASSWORD='passw0rd'

# PUSHSAFER
#---------------------------
REPORT_PUSHSAFER=False
PUSHSAFER_TOKEN='ApiKey'

# MQTT
#---------------------------
REPORT_MQTT=False
MQTT_BROKER='192.168.1.2'
MQTT_PORT=1883
MQTT_USER='mqtt'
MQTT_PASSWORD='passw0rd'
MQTT_QOS=0
MQTT_DELAY_SEC=2

# DynDNS
#---------------------------
DDNS_ACTIVE=False
DDNS_DOMAIN='your_domain.freeddns.org'
DDNS_USER='dynu_user'
DDNS_PASSWORD='A0000000B0000000C0000000D0000000'
DDNS_UPDATE_URL='https://api.dynu.com/nic/update?'

# PiHole
#---------------------------
PIHOLE_ACTIVE=True
DHCP_ACTIVE=True

# Pholus
#---------------------------
PHOLUS_ACTIVE=True
PHOLUS_TIMEOUT=120
PHOLUS_FORCE=False
PHOLUS_RUN='once'
PHOLUS_RUN_TIMEOUT=600
PHOLUS_RUN_SCHD='0 4 * * *'
PHOLUS_DAYS_DATA=7

# Nmap
#---------------------------
NMAP_ACTIVE=True
NMAP_TIMEOUT=150
NMAP_RUN='none'
NMAP_RUN_SCHD='0 2 * * *'
NMAP_ARGS='-p -10000'

# API
#---------------------------
API_CUSTOM_SQL='SELECT * FROM Devices WHERE dev_PresentLastScan = 0'

# SNMPDSC
#---------------------------
SNMPDSC_RUN='disabled'
SNMPDSC_CMD='python3 /home/pi/pialert/front/plugins/snmp_discovery/script.py routers={s-quote}{routers}{s-quote}'
SNMPDSC_routers=['snmpwalk -v 2c -c public -OXsq 192.168.1.1 .1.3.6.1.2.1.3.1.1.2']
SNMPDSC_RUN_SCHD='0 2 * * *'
SNMPDSC_RUN_TIMEOUT=5
SNMPDSC_WATCH=['Watched_Value1']
SNMPDSC_REPORT_ON=['new','watched-changed']

# WEBMON
#---------------------------
WEBMON_RUN='disabled'
WEBMON_CMD='python3 /home/pi/pialert/front/plugins/website_monitor/script.py urls={urls}'
WEBMON_RUN_SCHD='0 2 * * *'
WEBMON_API_SQL='SELECT * FROM plugin_website_monitor'
WEBMON_RUN_TIMEOUT=5
WEBMON_WATCH=['Watched_Value1']
WEBMON_REPORT_ON=['new','watched-changed']
WEBMON_urls_to_check=['https://google.com','https://duck.com']
WEBMON_SQL_internet_ip='SELECT dev_LastIP FROM Devices WHERE dev_MAC = {s-quote}Internet{s-quote}'

# DHCPSRVS
#---------------------------
DHCPSRVS_RUN='disabled'
DHCPSRVS_CMD='python3 /home/pi/pialert/front/plugins/dhcp_servers/script.py'
DHCPSRVS_RUN_SCHD='0 2 * * *'
DHCPSRVS_RUN_TIMEOUT=5
DHCPSRVS_WATCH=['Watched_Value1']
DHCPSRVS_REPORT_ON=['new','watched-changed']

# DHCPLSS
#---------------------------
DHCPLSS_RUN='disabled'
DHCPLSS_CMD='python3 /home/pi/pialert/front/plugins/dhcp_leases/script.py paths={paths}'
DHCPLSS_paths_to_check=['/mnt/dhcp1.leases','/mnt/dhcp2.leases']
DHCPLSS_RUN_SCHD='0 2 * * *'
DHCPLSS_RUN_TIMEOUT=5
DHCPLSS_WATCH=['Watched_Value1','Watched_Value4']
DHCPLSS_REPORT_ON=['new','watched-changed']

# NMAPSRV
#---------------------------
NMAPSRV_RUN='disabled'
NMAPSRV_CMD='SELECT  ns.MAC as Object_PrimaryID, cast({s-quote}http://{s-quote} || dv.dev_LastIP as VARCHAR(100)) || {s-quote}:{s-quote} || cast( SUBSTR(ns.Port ,0, INSTR(ns.Port , {s-quote}/{s-quote})) as VARCHAR(100)) as Object_SecondaryID,  datetime() as DateTime,  ns.Service as Watched_Value1, ns.State as Watched_Value2, dv.dev_Name as Watched_Value3,        {s-quote}null{s-quote} as Watched_Value4,        ns.Extra as Extra, ns.MAC as ForeignKey FROM (SELECT * FROM Nmap_Scan) ns left JOIN (SELECT dev_Name, dev_MAC, dev_LastIP FROM Devices) dv  ON ns.MAC = dv.dev_MAC'
NMAPSRV_RUN_SCHD='0 2 * * *'
NMAPSRV_WATCH=['Watched_Value1']
NMAPSRV_REPORT_ON=['new','watched-changed']

# UNDIS
#---------------------------
UNDIS_RUN='disabled'
UNDIS_CMD='python3 /home/pi/pialert/front/plugins/undiscoverables/script.py devices={devices}'
UNDIS_RUN_TIMEOUT=10
UNDIS_devices_to_import=['dummy_router']

# UNFIMP
#---------------------------
UNFIMP_RUN='once'
UNFIMP_CMD='python3 /home/pi/pialert/front/plugins/unifi_import/script.py username={username} password={password}  host={host} sites={sites}  protocol={protocol} port={port} version={version}'
UNFIMP_username='####'
UNFIMP_password='####'
UNFIMP_protocol='https://'
UNFIMP_host='172.27.1.254'
UNFIMP_port='443'
UNFIMP_version='UDMP-unifiOS'
UNFIMP_sites=['default']
UNFIMP_RUN_SCHD='0 2 * * *'
UNFIMP_RUN_TIMEOUT=5
UNFIMP_WATCH=['Watched_Value1','Watched_Value4']
UNFIMP_REPORT_ON=['new','watched-changed']

#-------------------IMPORTANT INFO-------------------#
#   This file is ingested by a python script, so if  #
#        modified it needs to use python syntax      #
#-------------------IMPORTANT INFO-------------------#

Paste your docker-compose.yml and .env (remove personal info)

docker-compose.yml 

services:
  ...
  pi-alert:
    image: jokobsk/pi.alert:latest
    # container_name: pi-alert
    hostname: pi-alert
    volumes:
      - "./data/pi-alert/config:/home/pi/pialert/config"
      - "./data/pi-alert/db:/home/pi/pialert/db"
      - "./data/pi-hole/pihole/pihole-FTL.db:/etc/pihole/pihole-FTL.db"
      - "./data/pi-hole/pihole/dhcp.leases:/etc/pihole/dhcp.leases"
    network_mode: "host"
    env_file:
      - "./env/pi-alert.env"
    restart: unless-stopped
    privileged: true
    depends_on:
      - pi-hole
  ...

.env 

TZ=America/Chicago
# HOST_USER_ID=1000
# HOST_USER_GID=1000
# PORT=20211

Screenshots If applicable, add screenshots to help explain your problem.

jokob-sk commented 1 year ago

Hi there!

Thanks for the detailed description.

Have you tried to add the vlan parameter to your subnets as described here?

https://github.com/jokob-sk/Pi.Alert/blob/main/docs/SUBNETS.md#support-for-vlans

I can't test this but users reported that this approach has helped them.

Thanks, j

s33d1ing commented 1 year ago

I messed around with this a bit more and tried the vlan parameter but didn't have any luck. I ended up joining the pi to a wireless network on the 192.168.0.0 subnet as well as the wired 172.27.0.0 network. I updated the config to use the other interface for those subnets:

SCAN_SUBNETS=['172.27.10.0/24 --interface=eth0','172.27.20.0/24 --interface=eth0','172.27.30.0/24 --interface=eth0','192.168.86.0/24 --interface=wlan0','192.168.96.0/24 --interface=wlan0']