MRTG & SNMP on pfSense v2.0-RC3

GVJosh

I have a known working MRTG server in my HQ office.  I have a pfSense router running on a remote site.  I'm trying to build the config on MRTG and am getting "no response received".  I try to telnet to port 161 and no go.  NOTE:  I'm using the latest snapshot as of July 7th.

Here are the steps I took to set it up:

SERVICES -> SNMP -> Check the enable box.

Polling Port: 161
System Loc: blah
System Contact: blah
Read Community String: public (yes I know, but for testing purposes this is fine for now)

All SNMP modules are checked.  Click SAVE and ensured service was running, it is.

FIREWALL -> RULES - > WAN (in my case I renamed it to DSL)

Created a new rule as follows:

Action: PASS
Interface: DSL
Protocol: TCP/UDP
Source: Single (public IP of my HQ site) - I also tried ANY
Destination: Type=DSL address (also tried ANY here too)
Destination Port Range:  from=SNMP to=SNMP

I can telnet into my HTTP admin port just fine (and ping from) my MRTG server the public IP of the pfSense router.  I'm hoping I haven't found a bug but I can't figure out what I'm missing here?

cmb

Packet capture on WAN on port 161, see if the traffic gets there, and if it gets a response.

GVJosh

Sorry for the delay in getting back to you cmb.  I must have forgot to the check the notification box when I posted and was waiting for an email.  ???

In any case, I turned on packet capture for port 161 and see the following when I tell mrtg to poll pfSense:

10:10:39.607518 IP 199.120.xxx.xxx.26056 > 99.75.xxx.xxx.161: UDP, length 41
10:10:41.613635 IP 199.120.xxx.xxx.26056 > 99.75.xxx.xxx.161: UDP, length 41
10:10:43.615102 IP 199.120.xxx.xxx.26056 > 99.75.xxx.xxx.161: UDP, length 41
10:10:45.623717 IP 199.120.xxx.xxx.26056 > 99.75.xxx.xxx.161: UDP, length 41
10:10:47.633326 IP 199.120.xxx.xxx.26056 > 99.75.xxx.xxx.161: UDP, length 41

But MRTG still tells me:

GVMTRG# /usr/local/bin/cfgmaker –global "WorkDir: /usr/local/www" --output /usr/local/etc/mrtg/Site.cfg public@99.75.xxx.xxx
SNMP Error:
no response received
SNMPv1_Session (remote host: "99.75.xxx.xxx" [99.75.xxx.xxx].161)
                  community: "public"
                request ID: -982178538
                PDU bufsize: 8000 bytes
                    timeout: 2s
                    retries: 5
                    backoff: 1)
at /usr/local/lib/perl5/site_perl/5.10.1/SNMP_util.pm line 629
SNMPWALK Problem for 1.3.6.1.2.1.1 on public@99.75.xxx.xxx::::::v4only
at /usr/local/bin/cfgmaker line 955
WARNING: Skipping public@99.75.xxx.xxx: as no info could be retrieved

cmb

If that's from the WAN interface, the request is getting there but getting no response. Most common causes:

1. SNMP either wrong community string or it's not enabled, doesn't seem to be the case.
2. could be getting blocked by your firewall rules, check the firewall log
3. if you have a 1:1 NAT on the public IP, or a port forward containing 161, it would redirect that to some other host.

GVJosh

I went ahead and added the rule to both WAN interfaces (even though I was only targeting the DSL interface) and now its working, which makes no sense, but it does.  Thanks for your help!