SNMP across VLANs, responses not getting through firewall.

NogBadTheBad · Aug 19, 2020, 12:08 PM

@erasedhammer said in SNMP across VLANs, responses not getting through firewall.:

can get snmp responses from the same vla

Default route missing on the WAP perchance ?

erasedhammer · Aug 19, 2020, 1:00 PM

Its a web managed dlink WAP. I dont believe I can enter any routes into it. It does have its default gateway set as the firewall, so it should just forward the traffic.

Derelict · Aug 19, 2020, 1:04 PM

Does the destination device block SNMP from other than its own subnet?

You'll probably want to post the rule you put on VLAN 130 in case a mistake was made there.

NogBadTheBad · Aug 19, 2020, 1:07 PM

What DLink device is it ?

erasedhammer · Aug 19, 2020, 1:08 PM

The server doing the snmp queries has its firewall disabled right now so I can rule that out.

Heres the rule:

Derelict · Aug 19, 2020, 1:13 PM

@erasedhammer It would be a policy on the AP being queried, not the server doing the queries.

This is just UDP. It is not the firewall.

Does the AP's management interface have a default gateway that points back to its pfSense local interface? Can you ping it?

erasedhammer · Aug 19, 2020, 1:13 PM

Derelict · Aug 19, 2020, 1:14 PM

You probably want to packet capture for the SNMP traffic to see where it is going wrong.

Derelict · Aug 19, 2020, 1:15 PM

@erasedhammer Note your rule has 0 counters which mean it has never received a match since the filter was reloaded. Is there another rule above it that might be matching and policy routing the traffic or something like that?

erasedhammer · Aug 19, 2020, 1:22 PM

From the same subnet snmp works:

From pfsense (vlan130 interface):

From pfsense (vlan100 interface):

It looks like its getting through the firewall. I have no clue why its responding to a device on the same subnet but not another network.
I guess this is a dlink issue, dang.

erasedhammer · Aug 19, 2020, 1:28 PM

@Derelict

Previously I had rules for all the different devices. I have consolidated this rule just now into an alias.

Here is what I am using now, it still doesn't work though:

Derelict · Aug 19, 2020, 1:37 PM

@erasedhammer The firewall cannot make the AP respond to the requests it is sending to it.

Check the AP for anything that restricts SNMP to its local subnet.

erasedhammer · Aug 19, 2020, 1:38 PM

@Derelict

Okay. the documentation on it is crap at the best. I'll have to post somewhere.

NogBadTheBad · Aug 19, 2020, 1:52 PM

@erasedhammer

This maybe ?

Derelict · Aug 19, 2020, 2:21 PM

Looks like it. That documentation seems fairly comprehensive.

NogBadTheBad · Aug 19, 2020, 2:33 PM

@Derelict said in SNMP across VLANs, responses not getting through firewall.:

Looks like it. That documentation seems fairly comprehensive.

I did just pick a random D-Link device manual so I could be wrong

Derelict · Aug 19, 2020, 2:34 PM

@NogBadTheBad oh ok lol

erasedhammer · Aug 19, 2020, 2:44 PM

@NogBadTheBad

Yeah wrong manual. The device I got said clearly it supports snmpv3, but turns out theres no way to change it and it only supports v2c, but I can live with that.

The snmp menu on this wap is very barebones, only fields are enabled, public/private strings, and trap ip. Nothing else.

erasedhammer · Aug 19, 2020, 2:46 PM

Problem solved:

Ended up being an arp anti spoofing setting binding the default gateway IP to its MAC, but since pfsense is doing the routing the device was blocking another IP (the server) from using that mac.