Author Topic: Redirect or block Bridge posts to Aculink  (Read 3424 times)

0 Members and 1 Guest are viewing this topic.

Offline bes

  • Member
  • *
  • Posts: 3
Redirect or block Bridge posts to Aculink
« on: January 17, 2016, 11:31:44 PM »
Has anyone found a way to redirect or block acurite bridge posts to Acu-link?  I have a satelite internet connection that occassionally fails.  When I lose the internet connection, the bridge hangs and won't receive new 5 in 1 data.  I've tried blocking acu-link.com with my tp-link router, but this causes the bridge to hang and it won't receive new data. 

I'm successfully using George Nincehelser's listener/parser to load data to weewx, so I don't need the bridge post to acu-link.

Offline nincehelser

  • Forecaster
  • *****
  • Posts: 3337
Re: Redirect or block Bridge posts to Aculink
« Reply #1 on: January 18, 2016, 12:31:32 AM »
The bridge needs to hear an occasional response from the server or it will reboot in an attempt to re-establish communication.

One way around this is to use a Squid proxy to give a cached response if the servers aren't available.

If you want to be 100% off-the-grid, using a minimal web server to mimic the Acurite server response might be a better approach.  The downside of this is you won't automatically get any firmware updates that might come along.

Offline bes

  • Member
  • *
  • Posts: 3
Re: Redirect or block Bridge posts to Aculink
« Reply #2 on: January 24, 2016, 07:13:26 PM »
Thanks for the suggestions.  I have two acurite bridge setups -- one at home with a fast, unlimited internet connection and one at a lakehouse with metered satellite internet connection and the tp-link router. The lakehouse acurite bridge is the one I'd like to block. 

As a test, at home I have a netgear router that let's me block the IP address of the bridge and so far the bridge continues to report data from the 5 in 1 sensor. I've rebooted the bridge and the pi a few times but that hasn't caused the bridge to stop reporting. I think you note indicates this will eventually stop working when the bridge has gone too long without receiving a response from acu-rite.com.

Thanks again for the help. Assuming my netgear setup eventually fails, I'll dig deeper into your suggestions.

Offline bes

  • Member
  • *
  • Posts: 3
Re: Redirect or block Bridge posts to Aculink
« Reply #3 on: February 02, 2016, 07:51:48 AM »
To close this out -- I believe I've been successful blocking the Acurite internet bridge posts to Aculink.  I originally had a tp-link router that caused the bridge to stop sending data if I set the router to block the Aculink IP address.  I've replaced the tp-link with a netgear router and blocking the Aculink IP doesn't stop the flow of data through the bridge.  I used tcpdump to try to find out why the routers were different, and the netgear sends back a "401 Unauthorized" HTTP post when the Aculink IP is blocked.  This seems to be good enough for the bridge to continue sending data.

To test a bit further, I unplugged the bridge for a while, and when I restarted the bridge it began sending data despite never connecting to Aculink.  So I'm hoping I've got this solved.

Offline TD22057

  • Member
  • *
  • Posts: 16
Re: Redirect or block Bridge posts to Aculink
« Reply #4 on: April 02, 2016, 02:32:24 PM »
I'm curringly using nincehelser's technique:  bridge->usb ethernet dongle->pi->network and using tcpflow to scrape the data as it flows through the bridge.  But I'd really like to get this work better.  I'd like to redirect the bridge web posts to a local server and eliminate any outside traffic. 

From what I can find, I think the best technique would be to use the firewall rules to redirect traffic from the bridge to a local web server (small python script).  Basically, a man-in-the-middle redirect attach.  I followed the instructions here squid proxy but I can't seem to get ebtables to work on my pi (running ubuntu).  The basic idea is to use these two commands:

Code: [Select]
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8000

Every time I try that, ebtables hangs.  The ebtables command looks like it's doing a modprobe on ebtables and ebtable_broute which never return and I have to hard reboot the pi to get it back. 

My fallback approach is less elegant.  I installed dnsmasq and followed these instructions to try and have the bridge use the pi as a nameserver.  Then I would return the pi's IP address to the bridge and use some kind of iptables rule to redirect traffic from the bridge IP to a different port.  I turned on dnsmasq logging and added these lines to my networking interfaces file (192.168.1.7 is the pi's IP):

Code: [Select]
auto eth1
iface eth1 inet manual
   dns-nameservers 192.168.1.7

auto br0
iface br0 inet dhcp
   bridge_ports eth0 eth1
   dns-nameservers 192.168.1.7

I can see some dsn requests in syslog but I never see a request for www.acu-link.com (or any acurite address).  After taking down eth1 and br0 and bringing them back up, I tried powering off the bridge and holding the reset button down for 5 seconds as well but I'm not getting any DSN requests from the bridge that I can see.

Any thoughts?

Offline vreihen

  • El Niņo chaser
  • Forecaster
  • *****
  • Posts: 1216
  • K2BIG
Re: Redirect or block Bridge posts to Aculink
« Reply #5 on: April 02, 2016, 03:21:51 PM »
Are you running Apache or NGINX on the Pi for anything?  Jut trying to figure out why you are trying to redirect away from port 80.

Personally, I would use one of the above web server packages and write the faux web site in PHP.  If you're using port 80 for something else, look at the web server's options for setting up named virtual hosts.

Before I gave up on trying to scrape my bridge traffic, I wrote this file (post.php) to spoof the returned info from MBW:

Code: [Select]
<?php
echo "{ \"success\": 1, \"checkversion\": \"126\" }";
?>

I don't remember if it actually worked or not, but feel free to build on it. :)

Some of the open-source home router firmware packages have the ability to serve fake DNS records via DNSmasq, so you can actually plug your bridge directly into the router and point a fake DNS name at your web server.....
WU Gold Stars for everyone! :lol:

Offline TD22057

  • Member
  • *
  • Posts: 16
Re: Redirect or block Bridge posts to Aculink
« Reply #6 on: April 02, 2016, 03:24:37 PM »
Are you running Apache or NGINX on the Pi for anything?  Jut trying to figure out why you are trying to redirect away from port 80.

Given that I can't seem to get it to redirect the post to my pi, it doesn't really matter what web server or port I'm using.

Offline mwall

  • Contributor
  • ***
  • Posts: 135
Re: Redirect or block Bridge posts to Aculink
« Reply #7 on: April 02, 2016, 03:29:05 PM »
i've been running two installations, each with a slightly different configuration.  they both use the DNS hijack approach, with a web server responding to (and redirecting) the requests from the acurite bridge.

for example, i configure pfsense with a local DNS forwarding so that www.acu-link.com resolves to a local address.  at that local address is an nginx web server that is a reverse proxy, sending any '/messages/' requests to the port on which the weewx-interceptor driver is listening.  it has been solid, and it works with any number of 5-in-1, tower, and t/h sensors.

here is the code for the driver:

https://github.com/matthewwall/weewx-interceptor

the readme.txt in that repository describes some of the methods for capturing network traffic.  if you get firewall rules to work, please post them so i can document that approach in the readme as well.

thanks to george and the others who have hacked on the acurite bridge.  perhaps more importantly, thanks to those who have published their work.  as a result we all have many options for using our hardware.

m

ps the weewx-interceptor driver is set up to work with observerip and os lw30x stations as well, but that code has not been published yet.

Offline TD22057

  • Member
  • *
  • Posts: 16
Re: Redirect or block Bridge posts to Aculink
« Reply #8 on: April 06, 2016, 11:45:45 PM »
Success! I installed the latest raspian image on the pi (I was using Ubuntu before when I tried) and these commands worked perfectly. 
Code: [Select]
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8000

I ran a dummy web server (python script) which just prints anything sent to it and returns "OK".  When the iptables command is issued, it immediately started displaying the bridge posts.  So it looks like this will work fine and it completely removes the need for any outside servers.    I suppose one failure case is if Acurite shuts the system down and the bridge can't find www.acu-link.com, it might decide to stop working but that should relatively easy to fix if it ever comes up.

FYI I was already forwarding the bridge posts (via tcpflow before) to a python package which converted all the information into MQTT messages on my network.  My next step is to write something that will post certain sensors to weather underground.   I have other plans to store this data in a time series db and build some web pages for plotting and historical data when I get some free time.

Offline TD22057

  • Member
  • *
  • Posts: 16
Re: Redirect or block Bridge posts to Aculink
« Reply #9 on: August 18, 2017, 01:43:51 PM »
Success! I installed the latest raspian image on the pi (I was using Ubuntu before when I tried) and these commands worked perfectly. 
Code: [Select]
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8000


Has anyone been able to get this technique to work w/ ubuntu/debian/centos?  It worked fine w/ raspian but I can't get it to work at all with Ubuntu 14.04.  The commands go in, but the posts from the hub (which I can see w/ tcpflow) are not getting redirected.

Offline TD22057

  • Member
  • *
  • Posts: 16
Re: Redirect or block Bridge posts to Aculink
« Reply #10 on: September 15, 2017, 02:27:28 PM »
OK - just in case anyone else is looking for this info, I managed to get this to work on Ubuntu 14.04.  Problem 1 was that my bridge got the new firmware and was changing the http paths it was posting to.  Problem 2 was that the above commands redirect ALL port 80 traffic on the machine which blocked my local web server from working.  The solution is to not use ebtables (it's not required on Ubuntu) and make sure that iptables is enabled for bridging traffic and to match on the physical address, not the bridge.  This will redirect traffic coming from the bridge on eth1 (the usb dongle) to a local port 22041 where i have a python script running to process the inputs.

Code: [Select]
# Make sure this is 1 - sudo echo '1' to it if it isn't.
cat /proc/sys/net/bridge/bridge-nf-call-iptables
1

sudo iptables -t nat -A PREROUTING -m physdev --physdev-in eth1 -p tcp --dport 80 -j REDIRECT --to-port 22041