Snmpd through ipsec tunnel

Neo_t3 · Nov 5, 2010, 8:00 AM

Hi,

I have two pfsense 2.0 connected by an ipsec tunnel.

On site A, I want to monitor second pfsense with Cacti, so I have enable SNMPd service on both pfsense …

But I was unable to get snmp information from site A to pfsense located on site B.

On pfsense 1.2.3, the option "Bind to LAN Interface" was present and resolve my issue.

snmp packet pass the rule without problem, but no response.

Have you an idea or a solution ?

jimp · Nov 5, 2010, 12:55 PM

http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

Neo_t3 · Nov 5, 2010, 2:28 PM

Very thanks jimp !!!

dave99 · Mar 13, 2011, 10:37 PM

I upgraded to 2.0, and I'm seeing this problem also (except through openvpn, not ipsec), I can't access snmp from across the vpn. The FAQ link doesn't seem to apply to 2.0.

Is there a workaround, or is it possible to add the options to bind back to a specific interface?

dszp · Mar 14, 2011, 3:31 AM

I've still gotten this working on 2.0 but it's a little different as the GUI has changed. Here's what I've done:

From System->Routing, I added a new Gateway with the LAN IP as the Gateway and Monitor IP both. I put "LAN Gateway for IPsec routing" in the description field (and named it IPsecLAN) to remind me why I did it :-) Then on the Routes tab in the same section, add a new route with a Destination network of the remote subnet that needs access via IPsec (the remote LAN subnet). Pic the Gateway entry you just created as the gateway.

This is working for me, at least it solved the problem I was having. Worth a shot. I haven't seen any downsides.

jimp · Mar 14, 2011, 3:33 AM

@dave99:

I upgraded to 2.0, and I'm seeing this problem also (except through openvpn, not ipsec), I can't access snmp from across the vpn. The FAQ link doesn't seem to apply to 2.0.

Is there a workaround, or is it possible to add the options to bind back to a specific interface?

That fix isn't needed for OpenVPN. OpenVPN routes just fine. As long as you allow the traffic with firewall rules, and you have the routes to reach the IP you are trying to query (and route back to the client from the server…) it should work just fine. It doesn't require any weird tricks like IPsec.

dszp · Mar 14, 2011, 3:35 AM

Oops, I overlooked that OpenVPN was the issue now, the subject says IPsec :-) I've not had issues with OpenVPN just IPsec, which is where I've used my fix successfully.

dave99 · Mar 14, 2011, 3:51 AM

@jimp:

@dave99:

I upgraded to 2.0, and I'm seeing this problem also (except through openvpn, not ipsec), I can't access snmp from across the vpn. The FAQ link doesn't seem to apply to 2.0.

Is there a workaround, or is it possible to add the options to bind back to a specific interface?

That fix isn't needed for OpenVPN. OpenVPN routes just fine. As long as you allow the traffic with firewall rules, and you have the routes to reach the IP you are trying to query (and route back to the client from the server…) it should work just fine. It doesn't require any weird tricks like IPsec.

Hmm, I'm guessing it's related then to the other problem with my upgrade related to an openvpn error creating a route:
http://forum.pfsense.org/index.php/topic,34371.0.html

dave99 · Mar 17, 2011, 5:38 PM

Kind of a follow up question, I'm able to query snmp on the openvpn tunnel interface IP, does the snmp process not attach to vlan interfaces? I've disabled the LAN interface since I use multiple vlans, so I was wondering if that is why I couldn't get to it on any of those interfaces.