pfSense not responding to SNMP polling from SNMP server
-
Hi All,
I have a SNMP server polling the pfSense device, but there is no response from the pfSense device.
I did the following :
a. Enabled SNMP service in the pfSense device
b. Set the same community string in the pfSense device and SNMP server
c. Added a Firewall rule at the WAN interface to allow ANY source sending to port 161When I run tcpdump on pfSense device. I can see the SNMP packet is received by the pfSense device, but it did not respond.
Can anyone advise if there are other settings to make to allow pfSense to respond ? Is there any settings to allow the SNMP server's IP Address in pfSense ?
Thanks
Regards
Kwang Mien -
@kwangmien SNMP on WAN? That doesn’t sound right. The built in snmp is v2 and thus not encrypted so make sure not to open and query on WAN but rather on trusted LAN
-
there is a "bind interface " option on the snmp services, is it configured correctly?
the rules i think should be allow any destination this firewall port 161anyway it is like Keyser says, it's not good on wan
-
@keyser said in pfSense not responding to SNMP polling from SNMP server:
built in snmp is v2 and thus not encrypted so make sure not to open and query on WAN but rather on t
Ok. Thanks for the advice. Currently, I am testing out the SNMP feature for pfSense.
-
@kiokoman The Bind interface is set to WAN.
I did further testing and found :
a. The pfSense device is behind a NAT router. When the SNMP server is in the same internal network as the pfSense, the pfSense repsonds to the SNMP poll from SNMP server
b. When the SNMP server is in the external network, and tried to poll the pfSense device, although the SNMP packet is received at pfSense, it did not response , according to tcpdump at the pfSense device.
I suspect somewhere in the configuration of pfSense, it is blocking external IP address, as the result shows that SNMP polling from internal IP address works
Regards
Kwang Mien -
Hi All,
Is there any IP Address to be allowed in bsnmpd in pfSense ?
I found that bsnmpd is blocking the SNMP poll coming from external IP address. When the SNMP poll came from the same network as the pfSense device, pfSense will response.
Regards
Kwang Mien -
@kwangmien BSNMP responds to all valid requests (proper community string), if it’s setup to listen on the interface the packet arrives on AND a firewall rule allows the packet to the listening address. So if it’s blocked it is the firewall rules thats not created properly.
However - you seem to have a NAT router in front of pfSense and want to reach pfSense behind that. That can only be done if a portforward is created in the NAT router. Otherwise the packet is blocked at the NAT router.
-
a. i have checked the filter.log and there is no blocking of the external IP address by the firewall rules for the SNMP poll
b. I also did a tcpdump at the pfSense device. and the SNMP poll message came into the pfSense device after the port forwarding at the NAT router.
Can you advise if there is any bsnmpd logs that can show if the SNMP poll is received at bsnmpd ?
Thanks
Regards
Kwang Mien -
@kwangmien Sorry, do not know of a log option for bsnmp.
If your tcpdump does not show a SNMP response going out upon recieving the snmp poll then it must be something else.
I would start with opening the tcpdump packet pfsense recieves and look at it in Wireshark. Does it have the proper IP destination and source to qualify for an answer from your BSNMP service?I don’t think I have ever heard of anyone attempting to setup SNMP listening on WAN, so it may be that it actually does not work?? Perhaps try binding the SNMP service to localhost instead, and create a NAT rule on WAN that forwards to 127.0.0.1?
-
@keyser the SNMP poll message is in order.
I found the problem is the pfSense device cannot reach to Internet due to missing default route. that is the reason why it did not respond. From the system logs there are "no route to host" error.
I have added the default route to the gateway. Now it is able to respond to the SNMP poll.
-
Hi
did you try snmpwalk?
Are you sure about the version?
