I have one node(123451) on which I want to monitor and control two other nodes(123452 & 123453) using Allmon3.
I modified allmon3.ini to look like this:
Also, as @kk6rq wrote, to ensure what you type does not get modified when posted you want to wrap your multi-line blocks of text (above and below) with 3 backticks.
Also, if you’re routing AMI over the public internet, you probably should firewall TCP port 5038 on each of your nodes to only be accessible to the host running Allmon3, which hopefully has a static IP address.
@N2DYI commented that TCP port 5038 on the server/node you are monitoring needs to be accessible. This means that any firewall on that server/node needs to be opened up and you may also need to update the router port forwarding rules. Remember, this opens up a network path so be advised, be careful, allow access only to those hosts/networks that you trust, accept the risks, etc.
I'm not sure how I missed the host= line and used the port number on the host line unless that was something I copied from another post.
The good news is I have one of the two reporting.
I had opened the Firewalld port and fixed any port forwarding in routers.
The second one says check server logs. The second one has the web access on a non-standard port. I would not suspect that as the problem. Now if I knew where the allmon3 logs were...
All three nodes are on dynamic addresses. They may not change very often, like after a power failure. Can I set the bindaddr to a URL? If so that would be easy.
Oct 24 20:15:49 node671071 allmon3[1029]: ERROR: (asl_allmon.ami_conn) Logon failure msg=(Response: Error Message: Authentication failed )
Oct 24 20:15:49 node671071 allmon3[1029]: ERROR: (asl_allmon.allmon3_ws_status) No connection for 650110.nodes.allstarlink.org:5038 on 16702 due to unreachable AMI - waiting 15 seconds
OK, I see what I did wrong. At first I followed the manual but I wanted to use URL's and used what was a Supermon example. Maybe the manual should have an example like:
I would like to restrict the nodes being monitored/controlled to only one host. e.g. I only want only node 1 to be able to monitor/control node2 and node3. All three nodes are on dynamic addresses.
Can I do bindaddr=123451.nodes.allstarlink.org
Can I somehow use permit and deny to limit access?
Is the AMI user and pass sent in the clear?
Can I somehow limit port 5038 in the firewall to only a specific URL?
P.S. I did get all three working after a complete reboot of all three nodes.
IMO, it would be much simpler and much more secure to just put all of the nodes on a VPN (Tailscale, etc) and have them communicate with each other in a secured private network, rather than doing all of this directly over the WWW and trying to secure it yourself.
If you're not a fan of "cloud" stuff, you can set up your own Wireguard "server". Tools like PiVPN make getting started with WG easy.
You are continually confusing IP addresses, DNS names, and URLs which is likely making this more complicated for you than is necessary. Specifically a DNS name is nnnnnn.nodes.allstarlink.org. In the most basic sense, a DNS is used just the first time to find the IP address. If/when the DNS name is re-resolved within an application is an exceedingly complicated topic that ends up being app specific. A URL is a formalized pattern used by certain applications to find a resource. The most commonly encountered URL is a web url - e.g. https://community.allstarlink.org/t/allmon3-monitor-control-remote-nodes/23889/16 is the URL for this post.
So some things based on your posts:
In iax.conf the bindaddr= attribute is specifically and only for "which IP addresses do I listen to on this host?" The default is 127.0.0.1 for localhost and the other reasonable setting is 0.0.0.0 which means "listen on any IP address". You can list a specific, non-localhost address but that's only beneficial in a very limited set of circumstances.
Most importantly, bindaddr does not control any sort of access from other hosts. It's simply telling AMI where to listen.
Presumably, what you're trying to do is limit inbound TCP/5038 access on what you're calling "node2" and "node3". On the host firewall (use Cockpit or firewall-tui on ASL3 appliances) or some other firewall (VPS firewall, router, etc.) restrict inbound TCP/5038 to only node1's public IP address. You generally cannot use a DNS name here and URLs are not used in IP firewalling. If/when node1's IP changes, you'll need to change the IP on node2 and node3's firewalls.
Alternatively, do what Mason suggests which is build some sort of intra-node tunnel using something like Wireguard or Tailiscale. Then you can use all fixed IPs on RFC1918 addressing that won't change your Asterisk and Allmon configurations.
AMI is not encrypted by default. You can enable a TLS-encrypted version of AMI but that isn't supported by Allmon3 and other common AllStarLink tools.
You could use permit and deny in manager.conf but that doesn't reduce your security profile. That's just an additional form of authentication, but the port is still available everywhere.
