For Zabbix, it is possible to use a Zabbix proxy for scanning networks. One of the possibilities to run the proxy, is to use Docker. I have tested to run the Zabbix proxy in Docker (Container manager within my Synology NAS). It is very easy to use and the setup is pretty straightforward.
Below my findings and hopefully it can help you in any way if you want to do some testing with the Zabbix proxy like I do :-).
Below you find the docker compose file which I have used on my Synology NAS.
# Docker compose file for running zabbix-proxy on Docker
# Created by P. Bazelmans
# Modify ZBX_SERVER_HOST and ZBX_HOSTNAME for your own setup
version: '3'
services:
zabbix-proxy:
image: zabbix/zabbix-proxy-sqlite3:latest
container_name: zabbix-proxy
environment:
- ZBX_SERVER_HOST=x.x.x.x:10051
- ZBX_HOSTNAME=My-Proxy
- ZBX_STARTPOLLERS=5
- ZBX_STARTTRIGGERS=5
ports:
- "10051:10051"
restart: unless-stopped
Create a project in Container Manager (Synology)
Create a new project in Container Manager and use the compose-file to setup the zabbix-proxy container.
Content is downloaded automatically…
When everything is OK, the project is started after the installation.
Now let’s check if the zabbix proxy gets connected to the Zabbix server.
Remember: the name of the proxy (as defined in the compose file) should be identical as the configured proxy name in the Zabbix server.
Well, as you probably have read on my other posts, I am some sort enthusiast to use my KPN internet and iTV subscription with my own gear (and not with the Experiabox that KPN included with my subscription). So that said, I also know that there are some difficulties where I can run in to. One of them was to successfully route the iTV traffic (which is multicast) through a FortiGate firewall. It works, yes, but I found that there are some “side-effects” which I didn’t like. One of the most annoying thing is that the internet-performance drops dramatically when both TV receivers are actively requesting a multicast stream. Mwa, that’s definitely not what I want :-(.
So I decided to split functionality over 2 devices; Internet traffic is routed through my FortiGate firewall, while multicast traffic is routed through a dedicated router (in my case this is a Mikrotik router). Be aware that if you want to use a router for the iTV multicast traffic, that it has to support some features to get it working.
Let’s begin with some graphics the show what I have build. See the basic drawings below:
I have a separate vlan where the TV-receivers reside. This vlan is directly routed through my Mikrotik router which handles the multicast traffic. The reason why the FortiGate is also present in the vlan, is that the receivers need internet-access for some services (such as Netflix). In my case, I made the FortiGate the DHCP server for this vlan, and points the default-gateway to the Mikrotik router.
Physically, I needed to handle the vlan ID’s which are present on my NTU. These ID’s are vlan 4 (for iTV) and vlan 6 (for internet). Vlan 5 is for telephony services, which I don’t use.
I configured pppoe on my FortiGate on the wan1 interface, which is connected to a port on the Mikrotik router in vlan 6. I don’t need to configure a subinterface on the FortiGate, because it is a native vlan port on the Mikrotik where I connect my FortiGate wan port. With this configuration, I keep the public IP address directly associated on my FortiGate’s wan port. Great!
The Mikrotik router is having a subinterface in vlan 4, where it is running a DHCP client to get an IP address from the KPN network. For this to work, you have to sent 2 options in the DHCP request.
DHCP client option
Value
60
IPTV_RG
55 (parameter 121)
CLASSLESS_ROUTE
Option 60 is mandatory, otherwise you will not get an IP address at all.
Option 55 is a special one, which gets the route-information for the KPN network. If you have a Mikrotik router, this step is easy because the options can simple be enabled in the configuration with the “special classless” option.
The learned prefix from KPN is printed below.
For the multicast to work, I had to take care about firewalling (nat-masquerade) and IGMP proxying as well.
For your convenience, I have published my Mikrotik configuration on Github here.
After I got my internet connection from KPN rolling through my FortiGate, the next step was to make interactive TV (iTV) working through my FortiGate as well.
Well, it was a bit of a puzzle to get this working, because of some special settings which are needed for iTV. But when all these things are set, iTV works (almost*) perfectly through the FortiGate.
So why almost* do you think? Well, after testing for a while, it seems that I have a problem with my Internet performance when I have 2 TV receivers active. When both receivers are active, they are using for about ~7-8 Mbps of bandwidth each. So, when 2 receivers are active, I only keeps several Mbits of internet speed left…(I have a 200/200 Mbps contract, which I can easily utilize for 100% when only 1 or no receivers are active). It seems to me that the multicast stream of 2 receivers is a bit to much for my FortiGate 60F.
I decided to route the TV traffic via a dedicated router, and that worked fine! Now I can fully utilize my internet connection even when both receivers are active. In my opinion, separating TV traffic through a dedicated router is the best solution. My router is a Mikrotik RB750Gr3.
This post describes the situation where all traffic is routed through the FortiGate. The situation where I route multicast TV traffic though a dedicated MikroTik router, will be described in a later post.
What do I have?
Internet from KPN (dutch ISP) with FTTH (Fiber-to-the-home) 200/200 Mbps
Interactive-TV from KPN
I do not use telephony from KPN
Experia box V10A from KPN
FortiGate 60F (FortiOS 6.4)
Internal switch where I can do some vlan-stuff with
You MUST use FortiOS 6.4 for this to work. Otherwise, the DHCP-client option which is used for iTV cannot be configured as this option is only available in FortiOS 6.4.
What did I want to realize?
I do not want to use the Experia box of KPN! I want to use my own FortiGate firewall to take over all the functions of the Experia box (apart from WiFi, where I have my own access-points)
What are the topics?
The topics to build are:
Internet-connectivity (IPv4 & IPv6) (see post part 1)
iTV including replay and recordings (this post, part 2)
Building iTV
My ISP-connection is delivered over fiber, which is delivered with an UTP-connection from the NTU. The UTP cable is going directly into the WAN-port of my FortiGate.
Good to know is that KPN is providing me 3 vlans in total to carry their services:
vlan 4 = iTV
vlan 5 = Telephony (which I don’t use)
vlan 6 = Internet
So, for iTV we are going to work with vlan 4. Let’s make up a summary about the steps I did:
Make up vlan 4 connectivity on the wan-port of my FortiGate
enable DHCP client (with options)
create the neccesary routing
configure the internal interface for the TV-receivers
configure policy-rules
set some global parameters
enjoy iTV via the FortiGate 🙂
Step 1: Create vlan 4 connectivity
First, I configured the wan-interface of my FortiGate with vlan 4 as a subinterface. The code for this is displayed below.
config system interface
edit "vlan4"
set vdom "root"
set mode dhcp
config client-options
edit 1
set code 60
set type string
set value "IPTV_RG"
next
end
set distance 10
set alias "KPN iTV"
set dns-server-override disable
set interface "wan1"
set vlanid 4
next
end
Please mention the dhcp client-options part; this is mandatory because KPN will not give you an (valid) IP address when this client-option is not present in your DHCP-request. Option 60 needs to be present in your DHCP request, and the value must exact be IPTV_RG.
If everything is configured well, you should be able to get an IP address at this point. I got an 10.x.x.x address out of a /22 subnet. I also retrieve a DNS-server and a default gateway. To not distort the default-route which is currently active in my FortiGate for internet, I gave this default-gateway a higher distance of 10 (the default-gateway I retrieved for internet has a distance of 5). Another option is to disable the retrieval of the default-gateway at all on this interface.
Step 2: create the necessary routing
What we now need to do, is to take care that the correct routing is applied for the subnet on which the iTV services reside on the KPN network. For KPN the iTV services are located in subnet 213.75.112.0/21, so we need to make sure that this subnet is routed correctly to the vlan 4 interface. For this to accomplish, we can do this with another DHCP client option on where KPN will return the routing-information back to the FortiGate. For now, I didn’t get this working. So I decided to configure another method, which was also very easy to implement.
As we have a dynamic address (DHCP) on the vlan 4 interface, I configured a static route where the next-hop address is dynamically determined through DHCP. See my example below.
As you can see above, the next-hop is dynamically determined through DHCP.
Step 3: Configure the internal interface for the TV-receivers
In my home network, I created vlan 5 with subnet 10.5.1.0/24 for the network where my TV-receivers live. I configured my interface as follows:
config system interface
edit "vlan5"
set vdom "root"
set ip 10.5.1.1 255.255.255.0
set allowaccess ping
set alias "tv-receivers"
set interface "internal"
set vlanid 5
next
end
I also enabled a DHCP server function in vlan 5, so that the TV-receivers get an IP address automatically. I specified the internet nameservers of KPN.
Step 4: Configure policy-rules
Because traffic for iTV is actually multicast traffic, we need to configure an inbound- and outbound multicast policy rule so that multicast-traffic is permitted to flow thorough the firewall. With this rules, source-natting is only required for outbound traffic; for inbound traffic, we can disable source-natting. My multicast rules are configured as follows. Mention the SNAT part of the rules.
the multicast policy-rules for iTV traffic
After configured the part above, you should be able to startup a receiver in the internal vlan. It gets an IP address, starts up, but it will get stuck on 85%…
Well, the problem with this is that the receiver also need some internet-access such as DNS, NTP and Netflix traffic. For this I configured a policy-rule, where I allow access to the internet.
After I configured these rules, the receiver starts successfully.
Step 5: Set some global-settings
At this point, you should be able to watch TV via your TV receiver. But it is possible that the screen is constantly “freezing”. This problem can easily be solved by entering the following command on the CLI.
config system settings
set multicast-ttl-notchange enable
Step 6: Replay and Recordings
In my case, I noticed that replay and recordings did not work yet at this point. While recordings are actually an RTSP stream, I decided to disable the session-helper for RTSP traffic. For one or another reason, a FortiGate do not handle the RTSP traffic well.
In de default configuration, the RTSP session-helper has ID 6. So deleting this ID actually deletes the RTSP session-helper.
edit 6
set name rtsp
set protocol 6
set port 554
config system session-helper
FGT60F (session-helper) # delete 6
FGT60F (session-helper) # end
That’s all folks, everything should be working fine now! If you experience any issues, please drop a comment.
For the last days, I was working to get my ISP connection @home (Which is from KPN) working with a FortiGate firewall. Well, it was a bit of a puzzle to get this working because information about this topic is very fragmented to find. So, I want to write about what I’ve done to get this working.
What do I have?
Internet from KPN (dutch ISP) with FTTH (Fiber-to-the-home) 200/200 Mbps
Interactive-TV from KPN
I do not use telephony from KPN
Experia box V10A from KPN
FortiGate 60F (FortiOS 6.4)
Internal switch where I can do some vlan-stuff with
You MUST use FortiOS 6.4 for this to work. Otherwise, the DHCP-client option which is used for iTV cannot be configured as this option is only available in FortiOS 6.4.
Update 5 dec 2022: some parts of this post are updated for FortiOS 7.2.
What did I want to realize?
I do not want to use the Experia box of KPN! I want to use my own FortiGate firewall to take over all the functions of the Experia box (apart from WiFi, where I have my own access-points)
What are the topics?
The topics to build are:
Internet-connectivity (IPv4 & IPv6)
iTV including replay and recordings
Building Internet
My ISP-connection is delivered over fiber, which is delivered with an UTP-connection from the NTU. The UTP cable is going directly into the WAN-port of my FortiGate.
Good to know is that KPN is providing me 3 vlans in total to carry their services:
vlan 4 = iTV
vlan 5 = Telephony
vlan 6 = Internet
So, first I need to create a vlan-interface for vlan 6 on the WAN-port. Because of the PPPoE overhead, the MTU of the WAN-port needs to be set to 1514 bytes, and the vlan-interface itself needs to be set to 1506 bytes.
config system interface
edit "wan1"
set mtu-override enable
set mtu 1514
next
edit "internet"
set alias "vlan6"
set estimated-upstream-bandwidth 200000
set estimated-downstream-bandwidth 200000
set role wan
set snmp-index 8
set mtu-override enable
set mtu 1506
set interface "wan1"
set vlanid 6
next
end
Next, we want to create the PPPoE-Interface. We bind this PPPoE-interface to the wan1 interface.
## This config is applicable to FortiOS 6.4 ##
config system interface
edit "pppoe1"
set mode pppoe
set allowaccess ping
set type tunnel
set estimated-upstream-bandwidth 200000
set estimated-downstream-bandwidth 200000
config ipv6
set ip6-mode dhcp
set ip6-allowaccess ping
set dhcp6-prefix-delegation enable
end
set interface "internet"
next
end
## This part is for FortiOS 7.2. The v6-ranges should match the range which is received from KPN ##
config system interface
edit "wan1"
set vdom "root"
set status down
set type physical
set alias "KPN"
set role wan
set mtu-override enable
set mtu 1506
next
edit "pppoe"
set vdom "root"
set mode pppoe
set allowaccess ping
set type tunnel
set alias "internet"
set role wan
config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
config dhcp6-iapd-list
edit 5
set prefix-hint 2a02:aaaa:bbbb::/48
next
end
end
set interface "wan1"
next
end
Note the config ipv6 IPv6 part; this part is neccesary to get an IPv6-prefix, which is advertised by the ISP via DHCPv6 prefix-delegation or DHCPv6-PD.
When we take a look of the PPPoE interface-part in the GUI of the FortiGate, you should see the IPv4 address which we have got from KPN.
we can also see that there is nothing visible about the DHCPv6-PD config. So, this part is only visible (and configurable) under the CLI.
If everything is okay, it should be possible to send some pings to hosts on the Internet over IPv4.
FGT60F # execute ping www.google.com
PING www.google.com (172.217.19.196): 56 data bytes
64 bytes from 172.217.19.196: icmp_seq=0 ttl=119 time=3.4 ms
64 bytes from 172.217.19.196: icmp_seq=1 ttl=119 time=3.4 ms
64 bytes from 172.217.19.196: icmp_seq=2 ttl=119 time=3.4 ms
64 bytes from 172.217.19.196: icmp_seq=3 ttl=119 time=3.4 ms
64 bytes from 172.217.19.196: icmp_seq=4 ttl=119 time=3.4 ms
--- www.google.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 3.4/3.4/3.4 ms
If your ping is working, then you have succesfully configured an IPv4 Internet-connection with your FortiGate. Now you can start with building your IPv4 policy-rules for your internal vlan (which is not part of this post).
At this moment, it is not possible (yet) to ping an IPv6 host on the Internet:
FGT60F # execute ping6 ipv6.google.com
connect: Network is unreachable
The ping6 is not working because there is no route for IPv6 defined. We need to do this statically. We point the IPv6 default-route to the pppoe1 interface.
config router static6
edit 1
set device "pppoe1"
next
end
After this, you should be able to ping an IPv6 host:
FGT60F # exec ping6 ipv6.google.com
PING ipv6.google.com(2a00:1450:400e:806::200e) 56 data bytes
64 bytes from 2a00:1450:400e:806::200e: icmp_seq=1 ttl=120 time=3.71 ms
64 bytes from 2a00:1450:400e:806::200e: icmp_seq=2 ttl=120 time=3.73 ms
64 bytes from 2a00:1450:400e:806::200e: icmp_seq=3 ttl=120 time=3.66 ms
64 bytes from 2a00:1450:400e:806::200e: icmp_seq=4 ttl=120 time=3.66 ms
64 bytes from 2a00:1450:400e:806::200e: icmp_seq=5 ttl=120 time=3.68 ms
Now IPv6 is working to the outside world, we need to route it internally so that hosts can get an IPv6 address (Global Unicast). Therefore, we need to configure an IPv6-prefix on the inside interface of the FortiGate.
As KPN is giving you a /48 prefix, we can assign an /64 prefix to the internal network. The hosts which are internally, are getting an IPv6 address using SLAAC, which is the most easiest way to address your hosts for IPv6. Another option is to configure DHCPv6 (not part of this post).
Note that the 2a02:xxxx:xxxx:xxxx::/64 part of the config should be your IPv6 range which is allocated to you by KPN. If you don’t know this prefix, you can find this when you connect your Experia box and take a look in the web-interface.
## This part is applicable to FortiOS 6.4 ##
config system interface
edit "internal"
set ip 10.1.1.1 255.255.255.0
set allowaccess ping https ssh http fgfm
set role lan
config ipv6
set ip6-mode delegated
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-upstream-interface "pppoe1"
set ip6-subnet 2a02:xxxx:xxxx:xxxx::/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "pppoe1"
set subnet 2a02:xxxx:xxxx:xxxx::/64
next
end
end
next
end
## This part is applicable to FortiOS 7.2. Mention the "5" for the prefix-iaid. This number MUST MATCH the dhcp6-iapd-list rule-index number (edit 5), which is under the pppoe logical-interface ## edit "internal"
set vdom "root"
set ip 10.1.1.1 255.255.255.0
set allowaccess ping https ssh fabric
set type hard-switch
set role lan
config ipv6
set ip6-send-adv enable
config ip6-delegated-prefix-list
edit 1
set upstream-interface "pppoe"
set delegated-prefix-iaid 5
set subnet 2a02:aaaa:bbbb:10::/64
next
end
end
next
end
When this config is done, you should be able to check if the IPv6-prefix is allocated to the internal interface.
Note: I’ve seen that I need to restart the firewall to get this step done.
The final thing to do to get IPv6 working for your hosts, is to create a policy-rule for v6 in the FortiGate without NAT. Since NAT is not usual with IPv6, we do not enable this.
config firewall policy
edit 0
set name "outbound-internet v6"
set srcintf "internal"
set dstintf "pppoe1"
set srcaddr6 "all"
set dstaddr6 "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
next
end
Now, as we take an internal host (I have a Win10 PC) then you can try to do an ipconfig /all to see your IPv6 addresses (you will get 2 temporary adresses).
Test your IPv6 connectivity: https://ipv6-test.com/