Wednesday, October 10, 2018

Interesting contrast to 4 years ago.

Funny I shared this article on Facebook 4 years ago when feeling depressed at the phone and cloud centric home automation then. Interesting to read again in light of the voice and cloud centric home automation we see now. Though SmartThings has been moving away from the cloud most have not and the voice interfaces are being marketed as "home automation" even though they are basically just remote controls.  Four years ago was also before I scrapped my Veras and upgraded to Homeseer which pretty much ticks all the boxes. The only real missing bit for Homeseer is Zigbee support. Though between Hue and SmartThings hubs that can be linked into Homeseer as well. Plus there are very few Zigbee devices that are not available in Z-wave and or WiFi versions these days.

Monday, October 1, 2018

Wanting to monitor your fridge / freezer?

For fridge / freezer monitoring this Wireless Tag is definitely the way to go.   They also give you motion alerts, talk to about anything, cheap compared to most and will even give you verbal alerts in a browser.

There is both a simple interface for things like basic notifications

And a scripting interface called Kumo Apps that lets you do even more and call local URLs making it easy to interface with home automation like Homeseer. There are lots of templates to get you started.

Here is an example of how to send the data to Homeseer
var tags = <#tags_[12|13|26|32|52|62|72|21]_N#>;
function (tag) {
tag.updated = function () {

if( === "Comp Rack 0"){
 KumoApp.httpCall(""+(tag.batteryVolt / 3.2),"GET");
 KumoApp.httpCall(""+(tag.temperature * 9 / 5 + 32),"GET");

How well do they work?

I've been using them for years and on a whim stuck one in the fridge and another in freezer last February along with a AcuRite 00782A2 Wireless Indoor/Outdoor Thermometer (outdoor module in freezer). They stayed close to each other in readings. Note battery life is reduced by the cold. Freezer one lasts only about 3-4 months. Generally they last closer to a year.

You will need a hub "Ethernet Tag Manager" for them to talk to but it is low cost too.

Note though I have had no luck with the Wireless Water/Moisture Sensors The soil moisture never worked and even the temp sensors seem erratic in the new ones. Plus the batteries are not replaceable like the indoor models.

Also if you start seeing random false motion alerts it probably means the battery is about ready to be changed.

Monday, September 10, 2018

Monitoring: the often overlooked automation.

What do I mean by monitoring

Being able to control things like your lights, TV excreta with your voice is nice and seems to be enough for a lot of people. At least till they discover a few well placed sensors with turn those lights off and on automatically. That is making the jump from remote control to automation and in a way could be considered monitoring but is not what I'm referring to. Simple monitoring would be like:

  • What I posted in UPS monitoring to tell me if a UPS monitor is offline.
  • Having IFTTT update a Homeseer virtual timer that triggers an alert if your Fitbit has not posted sleep in over 30 hours to monitoring the system itself. 
  • Having a smart plug power a cycle a camera that has dropped offline for several minutes

Stuff breaks, crashes or batteries simply die. In the case of batteries they might die while the system is still reporting them as good. Unless you are watching for missing data you might not know it is missing until you try and use the data or the control it is linked to.

My ChkSensors.vb script

Inspired by the BLRadar Plug-In for HomeSeer I wrote simple script ChkSensors.vb that is called hourly and looks at any Homeseer device object not in an ignored location and has the HomeSeerAPI.Enums.dvMISC.SET_DOES_NOT_CHANGE_LAST_CHANGE flag unset. The HomeSeerAPI.Enums.dvMISC.SET_DOES_NOT_CHANGE_LAST_CHANGE flag when set only updates the Last Change value if the value is changed from the previous update. The rub of course is that while many hardware devices update all values at the same time not all so and some plugins even set the HomeSeerAPI.Enums.dvMISC.SET_DOES_NOT_CHANGE_LAST_CHANGE flag during updates so those need to be ignored.  Currently my script is checking 449 of my 1788 "devices". Note a device in Homeseer is data stream or control so an Aeon 6in1 sensor for example is 8 Homeseer devices.

That may not seem like much but it covers all my Z-wave, Hue and Harmony devices along with several things monitored via Ethernet / WiFi. For example My alarm panel is seen by Homeseer as 19 devices. 16 zones and 3 other devices. In know "Root" and "Partition 1" change every time I open a door or change modes so that will happen at least a few times a day. Even if I was out of town someone would have to come feed the animals. Anyway that means I really only need to monitor 1 device to confirm Homeseer and the alarm are still talking to each other.
You will notice the script tags the devices (not in ignored locations) that it is not monitoring with a  which is a bit of a hack but makes it easy to know which devices have the flag set without having to open them up. Especially since, as mentioned above, some plugins force that flag unset.
There to you will notice with the Aeon 6in1 above I'm monitoring only Humidity, Luminance, UV and Temperature. Root nodes on Z-wave devices never seem to update. UV never reaches this sensor so it is never sent. Motion and tamper are not monitored because the location is were there should not be any animals and I want to alert me is any get in there. Hence the motion and Home Security devices should not update unless there is a problem.

Note too the script checks devices at 3 age levels. Anything not ignored over 48 hours old, any in the chk24 group over 24 hours old and anything in the chk1 group over 1 hours old.


If a device is found to be last updated too long ago has its current Location2 (called Category in my system) saved to the device's UserNote field before setting its Location2 to offline. This makes listing all the devices that need looked at simple. The last thing the script does if there are any devices found offline is to give you a verbal warning. Assuming warnings are not muted. See SayIt.vb. What you get is something like this
To give some examples the Laundry door sensors tell me for some reason I have not opened that door in 24 hours which is odd but not a big deal. Same UPSBox_DC_Sensor_chan4 not getting triggered since yesterday when I went out get a package. Again normally I open the box each evening when filling the south feeder but yesterday it was raining so I skipped it. The WirelessTag ones though are an issue. And a very strange one at that. Looking on the server all the data is there and no errors are in the logs. Even stranger there appears to be no pattern to which data is getting updated and what is not. I have 8 tags linked. Each has 4 data streams (plus battery level which has never worked for some reason). This happened once before. Then tags 0 and 2 were not updating. Rebooting the WirelessTag hub did not help but repowering it did. This time 0 and 1 are the only ones updating. Worse yet only the temp of tag 1 has updated since I repowered this time.
There was an exception in the logs this time at 9/8/2018 at 5:06 PM but nothing before or since which makes me suspect the hub is going out. Though it might be a bad update from what I see here.

Want some more examples of why you might need monitoring?

Last week my Rachio got knocked offline by a storm. It shows in the list. I reboot it and all is well. Better than finding when wondering why the plants are wilting.

Today I had an alert for the north lights in the barn. A Z-wave wall switch. A quick check and I found the breaker had tripped. Better than finding by needing to see in the barn and not having lights that work.

An event example in case you need

If you have read this far you probably already know how to trigger this from an event but in case you are not that deep in the woods yet here is what the event looks like.

Helper methods

There are a couple other helpful things in that script as well to simplify life. For example
fixFlagsByType lets you set the HomeSeerAPI.Enums.dvMISC.SET_DOES_NOT_CHANGE_LAST_CHANGE flag on any device in offline by passing it part of the type name. For instance any BLOnkyo Plug-in device
fixFlagsByRoom does similar by room (dv.Location)

initFlags unsets HomeSeerAPI.Enums.dvMISC.SET_DOES_NOT_CHANGE_LAST_CHANGE flag on all devices not in the filtered locations to get you started.

Honeywell Vista 20P linked to Homeseer

Since this is mainly a wired panel I'll assume your house is wired. If not you will need to run wires and install switches and or sensors around the house. Or optionally get the wireless interface and sensors.

Items you will want

Honeywell VISTA-20P Ademco Control Panel, PCB in Aluminum Enclosure 
Eyez-On Envisalink EVL-4EZR IP Security Interface Module For DSC and Honeywell (Ademco) Security Systems
Honeywell Security 6160 Ademco Alpha Display Keypad (You seem to still need this to program the panel despite adding the above web interface.)
For a battery I used a Mighty Max Battery 12V 9Ah Compatible Battery for APC Back-UPS NS1250 mainly because I buy them in bulk for my UPSs.
Unless you get a battery for an alarm system it will probably have standard tabs so will need these F2 to F1 Sealed Lead Acid Battery Terminal Adapters
You will also need some 18 gauge wire to go from the panel to the transformer.

Useful guides:

Vista 20P / 15P wiring guide Note the keypad and the IP interface connect to the same place.

Envisalink install programming guide which gets you the first 8 zones programmed.

Honeywell VISTA 15P, 20P Programming Guide

Note if you wired doubled zones of need to change the hardwire type on those zones. See this doc for info on that. Also you need to program both zones. For example if 2 is doubled then you need to set the type on zone 2 and enable zone 10. And confirm Zone Type is correct for both.

Once done the local web interface should loo like this
And the network page like this

Not much there really. It is really only useful for setup. If you do have a problem you will still need to go to the EyezOn status page to get more than a "trouble" indicator. Note EnvisaLink TPI Status will offline till the Homeseer plugin is configured.

The EyezOn status page will look like this (Note MAC and public IP blacked out)

 Oddly the *29 error does not seem to really matter. The docs say it means the "Enable IP/GSM/LRR Shadowing" option is not checked in the local interface but it seems not to matter and be a 21P thing as flipping options did not seem to make it go away and it does not seem to be stopping anything from working. Ignoring for now and will update if solution found later.

Again not a lot useful here accept the log activity. By default the zones are labeled by number. You can put names on them to make them clearer by going to Settings

Then Zone Labels. Then add a name for each zone. When done it will look something like this.

Now your log will look like this

Note however it only seems to only keep closures in the log after a sensor has been closed.
To unhighlight the sensor that was tripped / clear fault on keypad (even in unarmed mode) you need to disarm a couple times. Note there may be a lag in seeing this in the web interfaces.

Homeseer plugin

In Homeseer you will need to add the Envisalink Ademco (Spud) plugin
The config screen looks like this

The devices create (by clicking the Update zone devices button) look like
Note your may not have the  as that indicates it is not health checked in my setup. See my ChkSensors.vb script.

A cheat sheeting on arming and disarming from the panel Note the Chime disarmed option is not supported by the plugin as a control but it does recognize it when set on a keypad.

Friday, September 7, 2018

Running a camera on battery

What I wanted to achieve.

I wanted to get a cam on my mailbox which across the street. But the closest place to an outlet that could get line of sight is over 300 feet from any building and across the driveway. So we are talking major construction to run a line or POE cable out there. I already have a couple cams down by the creek running longer distances from my super AP ( a UniFi AP Outdoor+ with a Ubiquiti Airmax Omni AMO-2G10 10Dbi 2.4 GHz Rocket antenna) so I started to wonder what kind of battery would it take to power a camera.

Moved the body of this to my camera blog where it makes more sense after adding camera compare info. Leaving this here to make it easier to find.

Friday, August 31, 2018

Replacing Weatherbridge hardware

Ambient Weather WEATHERBRIDGE Universal WIFI IP Ethernet Server for Weather Stations, Compatible with Alexa is pretty sweet for a simple standalone box to upload your weather data to multiple locations. The price ranging as low as  $200 with shipping is pretty reasonable too though if your unit dies after a few years you would probably prefer to just replace just the hub and not a whole new setup including license. Fortunately replacement hardware is pretty cheap look for a TP-Link N150 Wireless 3G/4G Portable Router with Access Point/WISP/Router Modes (TL-MR3020) I found one on Amazon for $28.69

Note you probably have the older v1 version. The one I found was a v3 hub which uses a the smaller USB connector than the V1 and only needs to plug into one USB port on a hub for power.

You just need to follow these instructions after reading the rest of this..
One vital bit is missing. Make sure switch, next to Ethernet jack  is set to AP mode. In other modes the MR3020 is hard coded to come up as and wants to be your router which might cause issues with your network.

If you need to get TFTP running you should be able to google plenty of quick how-tos like this one for CentOS 7.

Be sure and test TFTP is working from another PC like
tftp> binary
tftp> verbose
Verbose mode on.
tftp> get tp_recovery.bin
getting from to tp_recovery.bin [netascii]
Received 8126464 bytes in -5.9 seconds [-11040379 bit/s]
tftp> quit

Note if you do not have a Linux PC to try it from get Cygwin

Now what you might not have caught above is the IP address have to be If you have only a network with addresses in of 192.168.0.X then you should be good. If your network is a more common address like 192.168.1.X then you should still be OK with the ip addr add dev eth0 instruction to fake the address. Problems arise if you have multiple networks, like you should be doing, and one of them has addresses of 192.168.0.X. In that case both the TFTP server and the hub being flashed need to be on that network.

Now holding the button 15 seconds seems like it might be too long or too short. You want to hold it till the second LED starts blinking to trigger the download of the software. I discovered this by trial and error while watching traffic to the TFTP server port.

All that said when I tried this my network seemed to get royally screwed up. Many of the things on the 192.168.0.X network needed repowered, not just rebooted, to get them back online. Might have been coincidence but happened just as the hub came back up. The flash did seem to work though.

That just left the problem of the MAC having changed. Even though you can spoof the MAC in the underlying OpenWrt code (which might fool your router) the Meteobridge software pulls the MAC directly from the Ethernet card so the Meteobridge license and Ambient Weather Network uploader sees it as a new station. Meteobridge says to email them at info(at) with the old and new MACs to transfer your license in the 14 day trial period. I'll have to update whether that works. Ambient Weather Network on the other hand I seem to have to add as a new station. That seems to work on their end but when I tell the Meteobridge to upload to it I get
Meteobridge settings successfully reloaded
Error: Ambient Weather Network: EXPIRED
Still trying to sort that.

Update a week later:

Found my email to info(at) bounced. Seems they use Spamhaus lists and Spamhaus has decided to blacklist Spectrum's network. So I guess if you email them use a Gmail account. Resent email. Still no solution to to the Ambient Weather Network issue but do having it uploading elsewhere

After another week

After sending email to meteobridge from Gmail the license shows good for Meteobridge but not the Ambient Weather Network. Seems the only way to get it working again is to give them $150.  Broke down and paid for a new license but it does not seem to take affect immediately despite having received a confirmation email and rebooted. Will check again tomorrow. If you can get a new WeatherBridge for $200 and need to upload to Ambient Weather Network it might be worth it to get the new bridge instead of saving $20 but having to deal with flashing and getting licenses sorted. As I'm writing this the price diff is only $19.51.

One more day

Finally back uploading to Ambient Weather Network. Which gets me back to where I was before the hub crashed.

Friday, August 10, 2018

Be careful out there!

I ran across something this week you should probably be aware of. I was checking my Spectrum modem was not set to default passwords. Spectrum seems to have stopped setting them up with the factory default passwords. (While bad for people like me that like to monitor signal strength and know the password is changed it is probably a plus over all given how few seem to change their modems and routers from the defaults.) Anyway I googled the common ones used to see if the one (or ones) Spectrum is using might be online. The first link returned took me a page that looked like useful logins to try. But then I started getting warnings that this page was trying to probe my network. Without a paranoid level of network threat management I might not have even known. Note one of the things that set off alarms in my network was it was trying to use https to avoid packet inspection which, due to cert mismatch, triggered warnings. Another was one of addresses it tried to probe was the router for a test network, that while configured, has no devices on it at the moment.

Who cares? Well this is how some newer threats are getting past your firewall to your networked devices. They run probes on your network looking for devices with known exploits that they can then turn into a back doors into your network to take control of even more of your devices and even set them up to monitor your traffic. Then of course there are the malware cryptominers that that suck all your CPU. For an example of the level of adventure see

Sunday, June 24, 2018

Use Windows WMI and Powershell to send data to Homeseer

For instance if you want to sent the average temperature or the CPU cores on your Windows PC to Homeseer virtual devices so you can trigger and action on temperature too high.
Create a user to use for updating if you do not already have one

Create a virtual device in Homeseer similar to this
Be sure and uncheck  "Do not update device last change time if device value does not change:"

Note -1 is set by script if it encounters and error getting data for the virtual

Create a script like the script below replacing with your Homeseer IP address
wmi with the user you created
wmiPass with the password for the above user.
4570 with the ref ID of the virtual device you created

function Get-Temperature {
    $t = @( Get-WmiObject MSAcpi_ThermalZoneTemperature -Namespace "root/wmi" )
    $cores = 0
    foreach ($temp in $t)
        $CORES += 1
        $currentTempKelvin = $temp.CurrentTemperature / 10
        $currentTempCelsius = $currentTempKelvin - 273.15
        $tempTotal += $currentTempCelsius 
        $currentTempFahrenheit = (9/5) * $currentTempCelsius + 32

        #write ($currentTempCelsius.ToString() + " C : " + $currentTempFahrenheit.ToString() + " F : " + $currentTempKelvin + "K")

    return $tempTotal / $cores


$url="" + $avgTemp
#write ("avgTemp="+$avgTemp)
#write ("url="+$url)

(New-Object System.Net.WebClient).DownloadString($url);

My script is called cpuTemp.ps1 and is in C:\diags so I set up an task to run every hour (you can make it as often as every 5 minutes) like this.

Plus you probably want to set these

For more of a rounder picture with logging, here is a fuller script. Do not forget to change the highlighted bits.

## set these to your servers values
$Logfile = "C:\diags\$(gc env:computername).log"
## also update disk list in local drives at bottom

## if you need help figuring out why something is not working try
## removing # from any place you see #Write in the method with the problem.


## for even fancier logging see
Function Write-Log($Message) {

    $Stamp = (Get-Date).toString("yyyy/MM/dd HH:mm:ss")
    $Line = "$Stamp $Message"
    If($logfile) {
    ## to stop logging put a # in front of next line
        Add-Content $logfile -Value $Line
    Else {
        Write-Output $Line

function sendData($ref,$value) {
#write ("ref="+$ref)
#write ("value="+$value)
    Write-Log ($url)
    $resp = (New-Object System.Net.WebClient).DownloadString($url);
    #write $resp
    $respObj = ConvertFrom-Json($resp)

    if (! $respObj.Name ) {
       Write-Error ("Error:"+ $resp)
       Write-Error ($url)
    Write-Log ($resp)

function sendError($ref,$err) {
    Write-Error ("Error for:"+$ref+":"+$err)
    #Write-Log ($err)
    sendData $ref -1

function updateDiskFree($diskLetter,$diskRef) {
    try {
        $filter = "DeviceID='"+$diskLetter+"'"

        $disk = get-wmiobject -class "Win32_LogicalDisk" -namespace "root\CIMV2" -Filter "$filter" | Select-Object Size,FreeSpace
        $size = [math]::round($disk.Size/1GB, 2)
        $free = [math]::round($disk.FreeSpace/1GB, 2)
        $freePercent=[math]::round(($free/$size * 100), 2)
        #write ($diskLetter+" "+$diskRef+" size="+$size+" free="+$free+" free="+$freePercent+"%")

        sendData $diskRef $freePercent
    } catch {

        sendError $diskRef $_

## other temp options:
## root\cimv2:Win32_TemperatureProbe CurrentReading
function Get-Temperature {
    try {
        $t = @( Get-WmiObject MSAcpi_ThermalZoneTemperature -Namespace "root/wmi" )
        #write $t
        $cores = 0
        foreach ($temp in $t)
            $cores += 1
            $currentTempKelvin = $temp.CurrentTemperature / 10
            $currentTempCelsius = $currentTempKelvin - 273.15
            $tempTotal += $currentTempCelsius 
            $currentTempFahrenheit = (9/5) * $currentTempCelsius + 32

            Write-Log ("Core "+$cores+":"+$currentTempCelsius.ToString() + " C : " + $currentTempFahrenheit.ToString() + " F : " + $currentTempKelvin + "K")
        sendData $tempRef ($tempTotal / $t.Count)
    } catch {
        sendError $tempRef $_


## CPU load
try {
    $load=Get-WmiObject win32_processor | select LoadPercentage
    sendData $loadRef  $load.LoadPercentage
} catch {
    sendError $loadRef $_

## free RAM
try {
    $os = Get-Ciminstance Win32_OperatingSystem
    $pctFree = [math]::Round(($os.FreePhysicalMemory/$os.TotalVisibleMemorySize)*100,2)
    sendData $pctFreeRef $pctFree
} catch {
    sendError $pctFreeRef $_

## watch log length
try {
   #write (Get-Item $Logfile)
   $logLen = [math]::Round((Get-Item $Logfile).length / 1MB,3)
    sendData $logLenRef $logLen
} catch {
    sendError $logLenRef $_

## count updates pending
try {
    $UpdateSession = New-Object -ComObject Microsoft.Update.Session
    $UpdateSearcher = $UpdateSession.CreateupdateSearcher()
    ## does not want to filter on and DownloadPriority=2 or and DownloadPriority>1 so extra update is listed
    $Updates = @($UpdateSearcher.Search("IsHidden=0 and IsInstalled=0").Updates)
    $Updates| Select-Object Title,IsMandatory,IsDownloaded,RebootRequired,AutoSelection,AutoDownload,MsrcSeverity,DeploymentAction,DownloadPriority

    if ($Updates.Count > 1) {
        write ("Updates pending:"+ $Updates.Count)
    sendData $updateRef $Updates.Count
} catch {
    sendError $updateRef $_

## local drives
updateDiskFree "C:" 4571
updateDiskFree "D:" 4572
updateDiskFree "E:" 4574
updateDiskFree "P:" 4573
## drobo
updateDiskFree "L:" 4578
updateDiskFree "Z:" 4579

Which looks like this

When I deployed to my second PC I found not even the Administrator could run scripts and had to set its policy to Bypass. See this Microsoft doc for more info on that.

Also the temperature readings are the same and unchanging on both PCs I've deployed to so far so they might not be useful despite all the posts out there claiming they are.

Tuesday, May 29, 2018

UPS monitoring

Here is an example of setting up a Raspberry Pi 3 to monitor a few UPSs.
Note you can also install on Windows, iOS and other Linux versions but for a UPS not near a PC, a Raspberry Pi 3 works a treat.

Install the apcupsd and chkconfig packages from the software manager or via yum
yum install apcupsd chkconfig -y
Note apcuspd works with many non APC brand UPSs like Cyber Power. 

This is what apcupsd has to say about multiple UPSs on a box though it uses the old style init.d structure the the current binaries for CentOS 7 for example do not.

For the first one you can use the standard files. For more than one things get a bit trickier as you need to pass parameters the built in functions do not support. Below has the added steps for adding a second, third .... UPS. Replace the 2 in apcupsd2 in each step with the number of the UPS. For first UPS just leave off the 2.
Note NISPORT 3551 is for UPS 1, 3552 for UPS 2 and so on
Note DEVICE  hiddev0 is for UPS 1, hiddev1 for UPS 2 and so on

To see which UPS is on which port use these commands
First see what ports are in use with
ls /dev/usb/hiddev*

Then for each listed run this swapping in the matching device name for hiddev0
udevadm info --attribute-walk --name=/dev/usb/hiddev0 | egrep 'manufacturer|product|serial'

mv /etc/apcupsd2/apcupsd.conf /etc/apcupsd2/apcupsd.conf.bak
vi /etc/apcupsd2/apcupsd.conf
Add lines like these
## apcupsd.conf v1.1 ##
#  for apcupsd2 release 3.14.12 (29 March 2014) - debian
# "apcupsd2" POSIX config file
DEVICE /dev/usb/hiddev1
LOCKFILE /var/lock
SCRIPTDIR /etc/apcupsd2
PWRFAILDIR /etc/apcupsd2
NOLOGON disable
EVENTSFILE /var/log/
UPSCLASS standalone
UPSMODE disable
STATFILE /var/log/apcupsd2.status

vi /etc/init.d/apcupsd2
Replace the script lines with this. You should similarly alter /etc/init.d/apcupsd to match removing the 2 from the highlighted areas.



# Provides:             apcupsd2
# Required-Start:       $remote_fs $syslog
# Required-Stop:        $remote_fs $syslog
# Should-Start:         $local_fs
# Should-Stop:          $local_fs
# Default-Start:        2 3 4 5
# Default-Stop:         0 1 6
# Short-Description:    Starts apcupsd2 daemon
# Description:          apcupsd2 provides UPS power management for APC products.

NAME=`basename $0`

DAEMON_OPTS="-d 9 -f ${CONFDIR}/apcupsd.conf"
DESC="UPS power management:${NAME}"

test -x $DAEMON || exit 0

test -e $CONFIG || exit 0

set -e


if [ "x$ISCONFIGURED" != "xyes" ] ;

        echo "Please check your configuration ISCONFIGURED in /etc/default/apcupsd"
        exit 0

case "$1" in

                echo "Starting $DESC: "
                rm -f ${CONFDIR}/powerfail
                PS=`ps -ef | grep ${CONFDIR}/apcupsd.conf | grep -v grep`
                if [ "$PS" = "" ]
                        echo "start-stop-daemon --start --pidfile $PID --exec $DAEMON -- $DAEMON_OPTS"
                        start-stop-daemon --start --pidfile $PID --exec $DAEMON -- $DAEMON_OPTS
                        sleep 1
                        $APCACCESS status -f ${CONFDIR}/apcupsd.conf
                        echo ""
                        echo "A copy of the daemon is still running.  If you just stopped it,"
                        echo "please wait about 5 seconds for it to shut down."
                        echo $PS
                        exit 0


                $APCACCESS status -f ${CONFDIR}/apcupsd.conf


                echo -n "Stopping $DESC: "
                start-stop-daemon --stop --oknodo --pidfile $PID || echo "Not Running."
                #rm -f $PID
                echo "$NAME."


                $0 stop
                sleep 10
                $0 start


                echo "Usage: $N {start|stop|restart|force-reload}" >&2
                exit 1

exit 0

On CentOS 7
vi /usr/lib/systemd/system/apcupsd2.service
and add the 2 in the paths

Description=APC UPS Power Control Daemon for Linux

ExecStartPre=-/bin/rm -f /etc/apcupsd2/powerfail
ExecStart=/sbin/apcupsd -b -f /etc/apcupsd2/apcupsd.conf


Mark ready by editing master conf file
vi /etc/default/apcupsd
Change the line

Set to auto start by running
chkconfig apcupsd2 on

On CentOS 7 instead do (replace 2 as needed)
/bin/systemctl enable apcupsd2.service
firewall-cmd --permanent --add-port=3552/tcp
firewall-cmd --reload
semanage port -a -t apcupsd_port_t  -p tcp 3552
semanage port -a -t apcupsd_port_t  -p udp 3552

If iptables is enabled you might need to run this command for each port too.
iptables -I INPUT -p tcp --dport 3551 -j ACCEPT

Lastly start it.
/etc/init.d/apcupsd2 start

On CentOS 7 instead do
/bin/systemctl start apcupsd2.service

Test with
apcaccess status -f /etc/apcupsd2/apcupsd.conf
apcaccess -h
Where is the IP address of the system you are on

With both you should see something like this
APC      : 001,032,0743
DATE     : 2018-06-28 14:55:07 -0500
VERSION  : 3.14.14 (31 May 2016) redhat
UPSNAME  : ShopRack
CABLE    : USB Cable
UPSMODE  : Stand Alone
STARTTIME: 2018-06-28 14:52:33 -0500
MODEL    : CP 1000D
LINEV    : 123.0 Volts
LOADPCT  : 9.0 Percent
BCHARGE  : 100.0 Percent
TIMELEFT : 54.3 Minutes
MBATTCHG : 5 Percent
MINTIMEL : 3 Minutes
MAXTIME  : 0 Seconds
OUTPUTV  : 123.0 Volts
DWAKE    : 0 Seconds
LOTRANS  : 90.0 Volts
HITRANS  : 140.0 Volts
ALARMDEL : 30 Seconds
TONBATT  : 0 Seconds
CUMONBATT: 0 Seconds
STATFLAG : 0x05000008
NOMINV   : 120 Volts
NOMPOWER : 580 Watts
END APC  : 2018-06-28 14:55:09 -0500

Other CentOS 7 quick checks / trouble shooters

Output of:
firewall-cmd --list-ports
Should contain the ports use above
3389/tcp 8443/tcp 137/tcp 138/tcp 139/tcp 445/tcp 901/tcp 3306/tcp 3552/tcp 3551/tcp

Output of:
semanage port -l | grep apcups
Should contain the ports use above
apcupsd_port_t                 tcp      3552, 3551
apcupsd_port_t                 udp      3552, 3551
Note udp should not be needed but since the apcupsd install enabled it for the first one I enabled it for the second as well to be consistent.

Lastly you might see error in /var.logs/messages like
SELinux is preventing apcupsd from read access on the file /var/log/

To fix run the commands
ausearch -c 'apcupsd' --raw | audit2allow -M my-apcupsd

semodule -i my-apcupsd.pp

For more on sorting SELinux issues look at this.

If things did not work take a look at the wiki page for help debugging and / or triggering local actions on events. Note the script they show has the line
. /lib/lsb/init-functions
Odds are nothing below that line in the script gets executed due it being overridden by 
/lib/lsb/init-functions.d/40-systemd which /lib/lsb/init-functions probably pulls in as an include. Hence the custom script above.

Now you should be able to aim your monitor at the host and port to pull in the UPS stats. For instance with Homeseer's Apcupsd plugin.

Which let's you monitor and trigger events on most of these data bits.

Monday, April 23, 2018

Where is my robot maid?

This article, Amazon Has a Top-Secret Plan to Build Home Robots, is making the rounds but it is kind of depressing. (It is also depressing how many other articles are coming up in Google searches that are just book reports on the Bloomberg article without any getting new details on their own. Bot journalism I guess.) Anyway it makes it sound like we'll never get robot maids. In part because we do not want them. WTF?! I've been wanting one forever! Have you ever met someone that did not want one? OK maybe not for the quoted price but an affordable one sure. When the Hero came out back in the 1980s they seemed just around the corner. Then the whole electronics DIY market seemed to stumble there for a bit while a lot techie types moved into programming for awhile. But the dream was still alive. Google beer fetching robot for example and you get loads of links and videos like this one.

Yet despite having fairly decent voice interfaces, wide spread wireless data links, relatively cheap drones that can follow and pan you around and avoid obstacles getting home, much less self driving cars, most bots seem about as advanced as the Heroes we had back in the 1980s that had nothing but an 8 bit CPU and a floppy drive to work with. So what is the hold up? I don't need a human looking android or even something that walks on legs, which seems to be the focus these days. Show me something that looks like a Johnny 5 and can do laundry and such on its own for a few grand and I'll preorder it now.

Look at the ER1, a platform from over 15 years back now that was basically a frame that you mounted a laptop into. One of the sample tasks was waving a bottle in front of its camera and it would go get one. It was like $700 (with optional arm) plus laptop. I went to a demo they were doing at Frys, got there like 5 minutes before it was supposed to start and was told the salesman had already left because he did not think there was enough people there to make it worth the effort. If only he'd waited to see all the people that left work early to get there after he'd gone. Then I decided to just get one direct online but for some reason they decided to sell only to schools. What you won't even take my money?! Looks like they are out of biz now. Wonder why. Which goes back to my point, we had these 15 years ago. Why don't I have one that can do the laundry by now? We have hardware now that way out performs what we had back then including CPUs, cameras, recognition systems, motors and batteries so it should be simple to at least market something better than we had 15 years ago. The latest security cameras for example do face and even pet recognition of them walking through a room and only cost $299. That was SciFi 15 years ago. Another example NiCad batteries were still a thing then.

Look at this laundry folding robot that was making the news not long ago. Comes in at about $1K and you still need someone to load it? It is little more than this folding board you can get for $10. Why not make it a bit more, put some arms and a camera on it so it hang and or fold the stuff in the dryer and then move the laundry from the washer to dryer? Got room for basket it ought to be able to sort colors and whites at least well enough to make loads too. If you have room for a couple baskets you could pre-sort. Extra points if it is mobile and can be moved into the kitchen to do dishes.

Which brings me to this self proclaimed THE WORLD'S FIRST ROBOTIC KITCHEN that was in the news this week. $75K and all it does is cook and maybe the dishes. It looks like it is actually a kitchen with arms. But from the video it still looks like you have to setup the ingredients for it. They also show it closing the top loading dish washer but not how it gets the plates to put in it. It might make sense in a restaurant but you would have to be the kind rich to have a cook on staff to install one at home.  And again they go on about how life like the hands are. Why does a kitchen appliance need life like hands? How much cheaper is one with grippers and snap in tools instead? The inventor says $75K is about the same price as a standard kitchen but given the median home in the US is $326K I'm not buying it. Anyway a robot that can do the laundry would seem it least as useful plus a lot easier and cheaper to build. Not to mention retro fit, especially if it is mobile and only needs to be placed in front of the washer and dryer.

So in closing Amazon I truly hope you are going to get us something as useful as Alexa has been and not just an Alexa powered Jibo as the the article implies. We do not need an Alexa with more personality. We need one that is mobile with arms.

IDS, IPS and general bad site blocking

Been a fun week. 

Been see a lot of warnings 

like this lately

Still not clear on who is but their cert is expired and blocking them seems to have no affect so I did. Same with the other expired certs that came up. If you see a pop up telling you cert is iffy block it. If you have other blocking tools add that domain.

Then I saw a lot of warnings about a known JavaScript miner site being included in sites I'm visiting. Nothing that weird either. The site is After I explicitly blocked the JavaScript I got a warning it was trying an HTML method from my antivirus!

Then I see this article when looking for why the extension got disabled

 Google cuts fake ad blockers from Chrome Store: Were you among 20 million fooled?
Adremover, the one I was using, was the most downloaded of the ad blockers in the extension store. It was downloaded by 10 million! It also was blocking so much stuff that I had to keep turning it off to use a lot of sites. I'm not sure how long Adremover was off before I noticed but I think all the expired cert warning started about the same time. So I'm not sure calling it a "fake" ad blocker is exactly accurate.

As a stop gap I upped my OpenDNS filtering to include "Adware" and "Hate/Discrimination" though it does not seem to be stopping all that much.
I'm guessing that is because so many sites are moving code to sites on blocked lists and adding other blocker detector to try and force us to turn them off. Note I have no problem with ads as long as they are vetted for malware and do not slow the page loads to a crawl but responsible advertising seems to be mighty rare these days.

I upgraded my internet:

With just my workstation plugged into the modem I'm not really seeing much of an improvement in download speed but upload is better than expect and that was my bottleneck. The cable guy's meter was showing over 900 Mbps down but I did notice it jumped up from ~350 to over 900 close to the end of the test so it is probably a burst speed more than a solid speed. This seems to confirm what I'm seeing. New Spectrum GIG no where near 940 Mbps But then I do not see buffering watching HD content even while running speed tests and downloading updates all at the same time so I don't think download speed will prove to be an issue anytime soon.

There was a bit of a mix up and Starz was not in the bundle I got so had to add that again. Still ended up adding Showtime, Cinemax and Starz plus doubling my upload speed for less than $20 more a month. Not bad. One weird bit though is I seem to have lost channel 511, HBO HD east. They have no clue why. Error says temp issue so maybe will sort on its own. Since I almost never watch live, picking up on the west feed is not biggie.

The new internet setup is kind of strange too. They bring out a modem AND a router. Seems you do not need to use their router and it does not have the phone interface so you need to keep the old modem/router as well just for the phone. Instead of using their router I think I'll stick a pfSense box instead. I was planning on adding one anyway later. I'll need to rewire some stuff though so I'll be on and off probably for the rest of this weekend.

I put one of my old NETGEAR Nighthawk R7000 from before my Unifi conversion in place while I got OPNsense installed This turned out to be VERY bad for throughput but at least I had some protection while I got OPNsense ready.

So now I'm setting up OPNsense.

From what I'm reading in forums and groups, OPNsense is a fork / more user friendly version of pfSense  so I decide to go with it. Also see pfSense® vs OPNsense®: technical comparison and this compare from a guy that installed both. One of the co-founders of pfSense joined Unifi awhile back and the additions they are now making to Unifi fall somewhere in between OPNsense and pfSense from what I as a user see. As I mention below though it seems unlikely current Unifi hardware will be able handle the load of processing high bandwidth data so going with a standalone box makes more sense for probably at least the next year.

I'm using a Dell 745 with an Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz (2 cores), CDROM drive, 2 TB HD and 8 GB RAM. It is just spare I had been using initially for OpenShift testing but is not really powerful enough for any real projects I do these days but well beyond what a Unifi USG can do with a dual-core, 500 MHz processor, 512 MB DDR2 RAM and 2 GB of storage.

Install went smooth (the occasional label did not match the instructions but it was generally obvious what to do next) except for one thing. The DVD image failed half way though coming up because it seemed to be unable to find the USB DVD drive I had booted from. I had even less luck with a USB stick image as they would not even boot but that might have more to do with the age of the PC I'm using. Note when installer the new machine I found the installer went through without error the second time but got the same CD not found error the first time so this might just be an intermittent issue.

Even more detailed instructions can be found in Building a BSD home router (pt. 5): Installing OPNsense

From the picture above you can see It performed well as a router even after turning off hardware offloading but when I turned on full IPS it took a real hit.

The CPU usage is frequently hitting 100% though so I think that is at least part of the problem. I'll need to try swapping in a Dell 780 with a  Intel(R) Core(TM)2 Quad CPU Q9550  @ 2.83GHz box and see it that improves things. For now though it mainly seems to be affecting download and upload so not pressing. This is what the dashboard looks like (WAN IP blacked out here of course).
Just unchecking  IPS mode on the OPNsense Services: Intrusion Detection: Administration page, but leaving IDS enabled, pretty much gets us back to normal.
Having IPS on was also causing check for updates to fail.



So far the traffic reports look about the same as what I'd get from Unifi though in my case it helps me to filter just what is talking or not talking to the outside world. Otherwise Unifi pretty much wins here.


Now this is the bit I wanted OPNsense for. Unifi has started adding much of this in but with the CPU their routers have it just can't cope with processing this amount of data. Turning IPS on with the low end USG router people are reporting download speeds in the 50 Mbps range. As mentioned above even the Dual core I'm using for OPNsense is struggling with full IPS on (29905 rules) and drastically reduced max speeds. Granted that many rules is probably over kill. Especially when looking at the alert log and seeing almost all the hits were for this one rule

Unifi has a similar geo filter but currently you can only have on where OPNsense lets you have many.

Both let you get just alerts or drop packets. Note the above test had both set to alert instead of drop. Unifi set to alert only mode hardly affected throughput at all while block mode definitely does. With OPNsense it was not as clear because setting IPS mode on here

Seems drag down the system as if packets are being block even though the rules themselves have their "Action" set to Alert. Though looking at the above Unifi rule that would seem to imply it is blocking these packets yet OPNsense is still seeing them would imply it is working similar. But then too the only IPS alerts I've seen from Unifi since turning alerts on are:
IPS Alert 2: Misc Attack. Signature ET DROP Dshield Block Listed Source group 1. From:, to:, protocol: TCP, in interface: eth1 11:30 04/18/2018
IPS Alert 2: Misc Attack. Signature ET DROP Dshield Block Listed Source group 1. From:, to:, protocol: TCP, in interface: eth1 19:12 04/11/2018
An IP that appears to be in Netherlands though the attached phone number and some of the contact info is Czech.

My Unifi IPS setting look like this


Have to say I like the amount of stuff you can cram onto the console. Her I have it in 4 column mode and this is not even everything you can stick on there. Surprised there seems to be no way to hide or shrink the left nav menu as customizable as the rest is.

ssh access

Seems checking Permit password login does not seem to work. You still need to use ssh keys.

Adding speedtest to the OPNsesnse box

This should work but did not for me
curl -Lo speedtest-cli
chmod +x speedtest-cli

So as a work around I copy pasted into vi from a browser. Note you will need to change the first line from python to python2.7 either way so it can find the python command.
Run it like this

For keeping track create a cron job that writes to a csv file

As root run (changing 16089 to the server ID you want to test against)
/root/speedtest-cli --server 16089 --csv-header > /usr/local/www/speedtest.csv
That sets the headers for you
Then set up a cron job to run with
crontab -e
Note it uses the vi editor so you need to know the right commands for that. Should look like this

Update it appears the crontab is getting overwritten so you may have to redo this from time to time.
To avoid this you need to create a /usr/local/opnsense/service/conf/actions.d/actions_speedtest.conf file and add

command:/root/speedtest-cli --server 16089 --csv >> /usr/local/www/speedtest.csv
description:Run a speed test

message:running speed test %s

After saving run
service configd restart
to load action file changes then
configctl speedtest test
to test it. You should get an OK as a response. Then add as a cron job through the web GUI like this
This should add a line to the crontab but does not seem too. Nor did it run at first even after reboot but then started running later. No obvious reason why but the line I manually added to the crontab disappeared about the same time. Still not adding a line in crontab though so being handled else where.

Once it is running you can download the speedtests results file by pointing your browser to (assuming your web interface it on of course)

Odd bits

The LAN interface switched from, the static assigned, to, a DHCP address, at one point for no obvious reason.

Sometimes the extension just seems to hang when run while on the dashboard page.

As mentioned above check updated fails with IPS on. It appeared it was because the Core(TM)2 CPU is just not powerful enough to handle both at the same time. But I'm seeing the same with the Quad Core and the CPU is under 40% max.

I found a good starting point for rules in this pfSense post
Basically this sets:

  • emerging-drop
  • emerging-botcc.portgrouped
  • emerging-botcc
  • emerging-ciarmy
  • emerging-compromised
  • emerging-dshield
  • emerging-tor
  • emerging-worm
  • emerging-trojan
  • emerging-mobile_malware
  • emerging-malware
  • snort

Note on Snort. There are a lot of Snort rules. I filtered the list for "snort", selected all then enabled selected which enabled about half of them. I then also enabled Snort VRT/blacklist.
After reenabling IPS mode speed test and load looks like this

Note the much improved CPU usage. That upload is way low but after turning off IPS I got an even worse run and then a slightly better one which makes me wonder if the speed tests are telling me anything. External factors must be throwing them off or something is causing flux in the OPNsense box I can't see.

Note the CPU usage has actually gone up even though IPS is now off which makes no sense at all.

Web GUI seems to have gotten slugish after enabling IPS even when traffic and CPU is low. eventually the dropped packets got so bad I rebooted but it did not seem to help so as a last ditch attempt I repovered the box after checking the cards were all well seated. This seems to have helped at least for now. Speedtest with IPS off

And Speedtest with IPS back on.

Doing more research Seeing 0% packet loss after repower but back to 20% and other weirdness within an hour.

Swapped out the 1 PCIe x1 network card (WAN side) and the 2 PCI cards (the slots the mother board had open) with a 4 port PCIe x4 card in place of the unneeded video card in the PCIe x16 slot and things have improved a lot! The next morning I was still seeing 0% packet loss and higher speeds than I had connected to the modem directly.

Last night I even hit over 40 Mbps up.

This is with these plugins installed
os-acme-client (orphaned)1.13221KiBLet's Encrypt client
os-dyndns (orphaned)1.6_1134KiBDynamic DNS Support
os-intrusion-detection-content-snort-vrt (orphaned)1.012.4KiBIDS Snort VRT ruleset
os-smart (orphaned)1.215.9KiBSMART tools

And IPS on with the same ET and Snort rule sets as before.

Update: 5/17/2018 This are looking better though the results to vary a good bit.

Some of that might be from all that else is going on though. For instance here
There is about 40 mbps down and 5-6 mbps up going on besides the speed test. The fastest download test I was only seeing 8 mbps up because of how fast the security cams were triggering and transferring alert pics to the cloud that day.

I also added a Pi-Hole DNS filter which has shifted some load from Chrome and the OPNsense. To give you an idea here is the dashboard showing the number of DNS requests it is handling.
So simple to set up I will not even try to improve on the instructions. Just in time too as the ad blocker Chrome extension I had been using got caught doing stuff.