Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense not responding to SNMP polling from SNMP server

    Scheduled Pinned Locked Moved
    SNMP
    4
    11
    217
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kwangmien
      last edited by

      Hi All,

      I have a SNMP server polling the pfSense device, but there is no response from the pfSense device.

      I did the following :

      a. Enabled SNMP service in the pfSense device
      b. Set the same community string in the pfSense device and SNMP server
      c. Added a Firewall rule at the WAN interface to allow ANY source sending to port 161

      When I run tcpdump on pfSense device. I can see the SNMP packet is received by the pfSense device, but it did not respond.

      Can anyone advise if there are other settings to make to allow pfSense to respond ? Is there any settings to allow the SNMP server's IP Address in pfSense ?

      Thanks

      Regards
      Kwang Mien

      keyserK kiokomanK 2 Replies Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @kwangmien
        last edited by

        @kwangmien SNMP on WAN? That doesn’t sound right. The built in snmp is v2 and thus not encrypted so make sure not to open and query on WAN but rather on trusted LAN

        Love the no fuss of using the official appliances :-)

        K 1 Reply Last reply Reply Quote 0
        • kiokomanK
          kiokoman LAYER 8 @kwangmien
          last edited by

          @kwangmien

          there is a "bind interface " option on the snmp services, is it configured correctly?
          the rules i think should be allow any destination this firewall port 161

          anyway it is like Keyser says, it's not good on wan

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          K 1 Reply Last reply Reply Quote 0
          • K
            kwangmien @keyser
            last edited by

            @keyser said in pfSense not responding to SNMP polling from SNMP server:

            built in snmp is v2 and thus not encrypted so make sure not to open and query on WAN but rather on t

            Ok. Thanks for the advice. Currently, I am testing out the SNMP feature for pfSense.

            1 Reply Last reply Reply Quote 0
            • K
              kwangmien @kiokoman
              last edited by

              @kiokoman The Bind interface is set to WAN.

              I did further testing and found :

              a. The pfSense device is behind a NAT router. When the SNMP server is in the same internal network as the pfSense, the pfSense repsonds to the SNMP poll from SNMP server

              b. When the SNMP server is in the external network, and tried to poll the pfSense device, although the SNMP packet is received at pfSense, it did not response , according to tcpdump at the pfSense device.

              I suspect somewhere in the configuration of pfSense, it is blocking external IP address, as the result shows that SNMP polling from internal IP address works

              Regards
              Kwang Mien

              1 Reply Last reply Reply Quote 0
              • K
                kwangmien
                last edited by

                Hi All,

                Is there any IP Address to be allowed in bsnmpd in pfSense ?

                I found that bsnmpd is blocking the SNMP poll coming from external IP address. When the SNMP poll came from the same network as the pfSense device, pfSense will response.

                Regards
                Kwang Mien

                keyserK 1 Reply Last reply Reply Quote 0
                • keyserK
                  keyser Rebel Alliance @kwangmien
                  last edited by

                  @kwangmien BSNMP responds to all valid requests (proper community string), if it’s setup to listen on the interface the packet arrives on AND a firewall rule allows the packet to the listening address. So if it’s blocked it is the firewall rules thats not created properly.

                  However - you seem to have a NAT router in front of pfSense and want to reach pfSense behind that. That can only be done if a portforward is created in the NAT router. Otherwise the packet is blocked at the NAT router.

                  Love the no fuss of using the official appliances :-)

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    kwangmien @keyser
                    last edited by

                    @keyser

                    a. i have checked the filter.log and there is no blocking of the external IP address by the firewall rules for the SNMP poll

                    b. I also did a tcpdump at the pfSense device. and the SNMP poll message came into the pfSense device after the port forwarding at the NAT router.

                    Can you advise if there is any bsnmpd logs that can show if the SNMP poll is received at bsnmpd ?

                    Thanks

                    Regards
                    Kwang Mien

                    keyserK 1 Reply Last reply Reply Quote 0
                    • keyserK
                      keyser Rebel Alliance @kwangmien
                      last edited by keyser

                      @kwangmien Sorry, do not know of a log option for bsnmp.

                      If your tcpdump does not show a SNMP response going out upon recieving the snmp poll then it must be something else.
                      I would start with opening the tcpdump packet pfsense recieves and look at it in Wireshark. Does it have the proper IP destination and source to qualify for an answer from your BSNMP service?

                      I don’t think I have ever heard of anyone attempting to setup SNMP listening on WAN, so it may be that it actually does not work?? Perhaps try binding the SNMP service to localhost instead, and create a NAT rule on WAN that forwards to 127.0.0.1?

                      Love the no fuss of using the official appliances :-)

                      K 1 Reply Last reply Reply Quote 0
                      • K
                        kwangmien @keyser
                        last edited by

                        @keyser the SNMP poll message is in order.

                        I found the problem is the pfSense device cannot reach to Internet due to missing default route. that is the reason why it did not respond. From the system logs there are "no route to host" error.

                        I have added the default route to the gateway. Now it is able to respond to the SNMP poll.

                        1 Reply Last reply Reply Quote 1
                        • K
                          kouled
                          last edited by

                          Hi
                          did you try snmpwalk?
                          Are you sure about the version?

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post