Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNMP across VLANs, responses not getting through firewall.

    Scheduled Pinned Locked Moved Firewalling
    20 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NogBadTheBadN
      NogBadTheBad
      last edited by

      @erasedhammer said in SNMP across VLANs, responses not getting through firewall.:

      can get snmp responses from the same vla

      Default route missing on the WAP perchance ?

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      1 Reply Last reply Reply Quote 0
      • E
        erasedhammer
        last edited by

        Its a web managed dlink WAP. I dont believe I can enter any routes into it. It does have its default gateway set as the firewall, so it should just forward the traffic.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Does the destination device block SNMP from other than its own subnet?

          You'll probably want to post the rule you put on VLAN 130 in case a mistake was made there.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad
            last edited by

            What DLink device is it ?

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • E
              erasedhammer
              last edited by

              The server doing the snmp queries has its firewall disabled right now so I can rule that out.

              Heres the rule:

              Capture.PNG

              DerelictD 2 Replies Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate @erasedhammer
                last edited by Derelict

                @erasedhammer It would be a policy on the AP being queried, not the server doing the queries.

                This is just UDP. It is not the firewall.

                Does the AP's management interface have a default gateway that points back to its pfSense local interface? Can you ping it?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • E
                  erasedhammer
                  last edited by

                  Capture.PNG

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    You probably want to packet capture for the SNMP traffic to see where it is going wrong.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate @erasedhammer
                      last edited by

                      @erasedhammer Note your rule has 0 counters which mean it has never received a match since the filter was reloaded. Is there another rule above it that might be matching and policy routing the traffic or something like that?

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      E 1 Reply Last reply Reply Quote 0
                      • E
                        erasedhammer
                        last edited by

                        From the same subnet snmp works:
                        samesubnet.PNG

                        From pfsense (vlan130 interface):
                        differentsubnet.PNG

                        From pfsense (vlan100 interface):
                        diffsubnet2.PNG

                        It looks like its getting through the firewall. I have no clue why its responding to a device on the same subnet but not another network.
                        I guess this is a dlink issue, dang.

                        1 Reply Last reply Reply Quote 0
                        • E
                          erasedhammer @Derelict
                          last edited by

                          @Derelict

                          Previously I had rules for all the different devices. I have consolidated this rule just now into an alias.

                          Here is what I am using now, it still doesn't work though:

                          rule.PNG

                          hosts.PNG

                          states.PNG

                          DerelictD 1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate @erasedhammer
                            last edited by

                            @erasedhammer The firewall cannot make the AP respond to the requests it is sending to it.

                            Check the AP for anything that restricts SNMP to its local subnet.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            E 1 Reply Last reply Reply Quote 0
                            • E
                              erasedhammer @Derelict
                              last edited by

                              @Derelict

                              Okay. the documentation on it is crap at the best. I'll have to post somewhere.

                              NogBadTheBadN 1 Reply Last reply Reply Quote 0
                              • NogBadTheBadN
                                NogBadTheBad @erasedhammer
                                last edited by

                                @erasedhammer

                                This maybe ?

                                Screenshot 2020-08-19 at 14.51.35.png

                                Andy

                                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  Looks like it. That documentation seems fairly comprehensive.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  NogBadTheBadN 1 Reply Last reply Reply Quote 0
                                  • NogBadTheBadN
                                    NogBadTheBad @Derelict
                                    last edited by

                                    @Derelict said in SNMP across VLANs, responses not getting through firewall.:

                                    Looks like it. That documentation seems fairly comprehensive.

                                    I did just pick a random D-Link device manual so I could be wrong 😬

                                    Andy

                                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                    DerelictD E 2 Replies Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate @NogBadTheBad
                                      last edited by

                                      @NogBadTheBad oh ok lol

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        erasedhammer @NogBadTheBad
                                        last edited by

                                        @NogBadTheBad

                                        Yeah wrong manual. The device I got said clearly it supports snmpv3, but turns out theres no way to change it and it only supports v2c, but I can live with that.

                                        The snmp menu on this wap is very barebones, only fields are enabled, public/private strings, and trap ip. Nothing else.

                                        1 Reply Last reply Reply Quote 0
                                        • E
                                          erasedhammer
                                          last edited by

                                          Problem solved:

                                          Ended up being an arp anti spoofing setting binding the default gateway IP to its MAC, but since pfsense is doing the routing the device was blocking another IP (the server) from using that mac.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.