@jimp:

The problem lies in how FreeBSD and others source UDP replies from hosts with multiple interfaces in certain cases, and also how IPsec works with the FreeBSD kernel.

The SNMP daemon will always reply to a query from the interface IP "closest" to the client, from a routing perspective. If you have no direct connection and no static route, it will reply via the default route (WAN IP), and the WAN IP isn't a part of the IPsec tunnel, so the traffic doesn't get back to the client, and even if it did, the IP wouldn't match and it would be dropped.

Binding to the LAN IP forces it to only use the one single IP, which then matches IPsec and it works. Because it isn't bound to any other IP, it can't use the "wrong" one to reply. This is the best fix. If you need to reach it via another interface, use port forwards to nudge the traffic to the LAN IP.

The routing workaround fixes it because the route will make the firewall send the traffic out the LAN IP, and it is then grabbed by IPsec.

For the same reason you also can't query the SNMP daemon on an interface IP that is "far" from you. For example if you're in the LAN subnet, you can't query the WAN address and get a proper reply because the response will comes from the LAN IP, when the query went to the WAN IP, and it will be dropped.

Thank you!
Feeling too complicated. already more than I can solve
I decided to change the way
Because all I need from both WAN and LAN sides are receiving the data can either

@cmb:

It isn't by default, you have to permit it with firewall rules. and not have SNMP bound to LAN only.

Of course, I know the firewall to allow to connect to
I tried WAN interfaces allow access to UDP 161 PORT TO WAN ADDRESS
I tried all LAN interfaces to allow
Set SNMP for LAN and WAN NAT entry. failed
(Of course, firewall rules are automatically LINK)

Please help thanks

Name/OID: .1.3.6.1.2.1.1.3.0; Value (TimeTicks): 340 hours 16 minutes 14 seconds (122497403)
Name/OID: .1.3.6.1.2.1.25.1.1.0; Value (TimeTicks): 510 hours 7 minutes 9 seconds (183642985)
Uptime: 21 days, 06:07 (510 hrs 7 mins)

According to my loaded MIBs:

Name sysUpTime!@#.iso.org.dod.internet.mgmt.mib-2.system.sysUpTime
OID .1.3.6.1.2.1.1.3
Descr The time (in hundredths of a second) since the network management portion of the system was last re-initialized.

Name hrSystemUptime!@#.iso.org.dod.internet.mgmt.mib-2.host.hrSystem.hrSystemUptime
OID .1.3.6.1.2.1.25.1.1
Descr The amount of time since this host was last initialized.  Note that this is different from sysUpTime in the SNMPv2-MIB [RFC1907] because sysUpTime is the uptime of the network management portion of the system.

If memory serves, I changes the trap destination about 2 weeks ago (340 hours-or-so), that would've re-started the snmp daemon.

@jimp:

Not sure about that - I think if you install nrpe2 it should show the command paths in the package settings.

oops. Didn't know that pfSense was already installed to the system and had NRPEv2 option in the web GUI. …Services --> NRPEv2

For googlers:

1 - Created plugin -

#!/bin/sh real_rtt=`cut -f7 -d '|' /tmp/apinger.status | sed s/..$//` rtt=`cut -f7 -d '|' /tmp/apinger.status | sed s/......$//` isp=`cut -f3 -d '|' /tmp/apinger.status` ispIP=`cut -f1 -d '|' /tmp/apinger.status` if  [ $rtt -lt 50 ] then   echo "Normal - $isp RTT OK for $ispIP : $real_rtt ms"   stateid=0 elif [ $rtt -gt 50 ] && [ $rtt -lt 100 ] then   echo "Warning - $isp RTT Increasing for $ispIP : $real_rtt ms"   stateid=1 elif [ $rtt -gt 100 ] then   echo "Alert - $isp  RTT Critical for $ispIP : $real_rtt ms"   stateid=2 fi exit $stateid

2 - SCPed plugin to /usr/local/libexec/nagios directory
3 - pfSense web GUI –> Services --> NRPEv2
4 - Create new entry with check_pfsense_gateway_rtt as name and select the same name from plugin drop down menu:
[attachment image 1]
5 - add entry to /etc/nagios/services.cfg

define service{   use                        basic-service   service_description        pfSense   servicegroups              local   host_name                  pfsensegw1   check_command              check_nrpe!check_pfsense_gateway_rtt }

6 - add hostgroup entry to /etc/nagios/hosts.cfg for the pfsense

define host{         use                      basic-host         host_name                pfsensegw1         alias                    pfsensegw1         address                  192.168.1.1         hostgroups              firewalls,pfsense         }

7 - add entry to /etc/nagios/commands.cfg

# pfSense define command{   command_name  check_pfsense_gateway_rtt   command_line  $USER1$/check_pfsense_gateway_rtt -H $HOSTADDRESS$ }

8 - service nagios reload
9 - open nagios and check to see if service appears under your host. In my case "pfsensegw1"
[attachment image 2]

pfsense-1.png
pfsense-1.png_thumb
pfsense-2.png
pfsense-2.png_thumb

Thanks for your response.

I already found a solution. I used the CheckWMI check, this allows you to ping via a remote host to an other remote host. For the people that are interested visit http://www.renzokuken.org/post/4231212752/how-to-ping-a-remote-server-from-a-remote-windows

Cheers.  ;)

hmm very strange,

we poll the 2 network interfaces every minute for graphing, and process / hardware informations every 30min.

so no complete snmpwalk, just simple snmp values.

if I restart the service over the webinterface it crashes shourtly after. If I reboot the pfsense appliance it works for 1-2 days without problems.

This did not happen at all with pfsense-2.0.0, but reguarly with 2.0.1

cu
stefanero

correct

Thanks, that was illuminating.

There isn't a good way to get that info from IPsec unless you scrape the log and look. We are working on making that better for 2.1.

You have some options to do that.

using packages you can install ntop, darkstat, lighsquid..

using scripts or console, you can use

pftop
pftop -o age -f "dst 192.168.AAA.BBB"
pftop -o age -f "src 192.168.AAA.BBB"

rate
/usr/local/bin/rate -i rl0 -r 5 -Aa 20 -lc 192.0.0.0/8

iftop

@jimp:

The SNMP OIDs for various pf bits can be found here in the pf MIB:

http://files.pfsense.org/jimp/BEGEMOT-PF-MIB.txt

Ah ha! Perfect! Right there at the top of the MIB is pfStateTable with a object-type description of "Number of entries in the state table."

That sounds like exactly what I need.

Thank you.

have you looked at the information for freebsd?

Have a look at the pf MIB, should have all the answers.

http://files.pfsense.org/jimp/BEGEMOT-PF-MIB.txt

These are also available:

http://files.pfsense.org/jimp/BEGEMOT-HOSTRES-MIB.txt

I'm not entirely sure that could be considered a bug… sort of a quirk in how SNMP in general works. If it gets a query from an IP in a subnet that is directly connected, it will probably respond from that IP rather than the IP you queried, since it's a more direct path.

It's always best to talk to the IP "closest" to you when possible.

A one-liner in net-snmp's snmpd.conf, or in bsnmpd? pfSense uses bsnmpd, not net-snmp's daemon.