• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SNMP port forwarding

Scheduled Pinned Locked Moved NAT
3 Posts 3 Posters 3.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    wannabesysadmin
    last edited by Jul 21, 2017, 4:44 PM

    hey guys, i thought this would be pretty straight forward, but it's taking me way longer than I thought to simply port forward UDP 162 .

    I created a rule to Pass from WAN interface to a single address with destination port 162.  Source is any.  I have no other rules except for the default RFC 1918 and Bogon one.  I enabled logging and do see the traffic passing through to my SNMP daemon, but the daemon is not recording anything.  If I change my test computer to on the internal address space (bypassing the firewall), the daemon does record the test trap.  But when I put the test computer outside the firewall, it does not record anything.

    Any ideas?

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jul 24, 2017, 2:14 PM

      How are you testing the forward?

      udp/162 is only for SNMP Traps. udp/161 is for SNMP queries.

      Do you see anything blocked in the firewall log for that port?
      Anything showing in the states table for the port?
      Does the request show up on WAN in a packet capture?

      More tips here:
      https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • N
        NogBadTheBad
        last edited by Jul 24, 2017, 3:28 PM Jul 24, 2017, 3:14 PM

        Wouldn't you be better doing it over an IPsec Tunnel ?

        SNMP isn't NAT friendly :-

        https://www.ietf.org/rfc/rfc3027.txt

        4.8 SNMP

        SNMP is a network management protocol based on UDP.  SNMP payload may
          contain IP addresses or may refer IP addresses through an index into
          a table.  As a result, when devices within a private network are
          managed by an external node, SNMP packets transiting a NAT device may
          contain information that is not relevant in external domain.  In some
          cases, as described in [SNMP-ALG], an SNMP ALG may be used to
          transparently convert realm-specific addresses into globally unique
          addresses.  Such an ALG assumes static address mapping and bi-
          directional NAT.  It can only work for the set of data types (textual
          conventions) understood by the SNMP-ALG implementation and for a
          given set of MIB modules.  Furthermore, replacing IP addresses in the
          SNMP payload may lead to communication failures due to changes in
          message size or changes in the lexicographic ordering.

        Making SNMP ALGs completely transparent to all management
          applications is not an achievable task.  The ALGs will run into
          problems with SNMPv3 security features, when authentication (and
          optionally privacy) is enabled, unless the ALG has access to security
          keys.  [NAT-ARCH] also hints at potential issues with SNMP management
          via NAT.

        Alternately,  SNMP proxies, as defined in [SNMP-APPL], may be used in
          conjunction with NAT to forward SNMP messages to external SNMP
          engines (and vice versa).  SNMP proxies are tailored to the private
          domain context and can hence operate independent of the specific
          managed object types being accessed.  The proxy solution will require
          the external management application to be aware of the proxy
          forwarder and the individual nodes being managed will need to be
          configured to direct their SNMP traffic (notifications and requests)
          to the proxy forwarder.

        Also SNMP data isn't encrypted.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received