Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNMP across VLANs, responses not getting through firewall.

    Scheduled Pinned Locked Moved Firewalling
    20 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      erasedhammer
      last edited by

      Capture.PNG

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You probably want to packet capture for the SNMP traffic to see where it is going wrong.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate @erasedhammer
          last edited by

          @erasedhammer Note your rule has 0 counters which mean it has never received a match since the filter was reloaded. Is there another rule above it that might be matching and policy routing the traffic or something like that?

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          E 1 Reply Last reply Reply Quote 0
          • E
            erasedhammer
            last edited by

            From the same subnet snmp works:
            samesubnet.PNG

            From pfsense (vlan130 interface):
            differentsubnet.PNG

            From pfsense (vlan100 interface):
            diffsubnet2.PNG

            It looks like its getting through the firewall. I have no clue why its responding to a device on the same subnet but not another network.
            I guess this is a dlink issue, dang.

            1 Reply Last reply Reply Quote 0
            • E
              erasedhammer @Derelict
              last edited by

              @Derelict

              Previously I had rules for all the different devices. I have consolidated this rule just now into an alias.

              Here is what I am using now, it still doesn't work though:

              rule.PNG

              hosts.PNG

              states.PNG

              DerelictD 1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate @erasedhammer
                last edited by

                @erasedhammer The firewall cannot make the AP respond to the requests it is sending to it.

                Check the AP for anything that restricts SNMP to its local subnet.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                E 1 Reply Last reply Reply Quote 0
                • E
                  erasedhammer @Derelict
                  last edited by

                  @Derelict

                  Okay. the documentation on it is crap at the best. I'll have to post somewhere.

                  NogBadTheBadN 1 Reply Last reply Reply Quote 0
                  • NogBadTheBadN
                    NogBadTheBad @erasedhammer
                    last edited by

                    @erasedhammer

                    This maybe ?

                    Screenshot 2020-08-19 at 14.51.35.png

                    Andy

                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Looks like it. That documentation seems fairly comprehensive.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      NogBadTheBadN 1 Reply Last reply Reply Quote 0
                      • NogBadTheBadN
                        NogBadTheBad @Derelict
                        last edited by

                        @Derelict said in SNMP across VLANs, responses not getting through firewall.:

                        Looks like it. That documentation seems fairly comprehensive.

                        I did just pick a random D-Link device manual so I could be wrong 😬

                        Andy

                        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                        DerelictD E 2 Replies Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate @NogBadTheBad
                          last edited by

                          @NogBadTheBad oh ok lol

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • E
                            erasedhammer @NogBadTheBad
                            last edited by

                            @NogBadTheBad

                            Yeah wrong manual. The device I got said clearly it supports snmpv3, but turns out theres no way to change it and it only supports v2c, but I can live with that.

                            The snmp menu on this wap is very barebones, only fields are enabled, public/private strings, and trap ip. Nothing else.

                            1 Reply Last reply Reply Quote 0
                            • E
                              erasedhammer
                              last edited by

                              Problem solved:

                              Ended up being an arp anti spoofing setting binding the default gateway IP to its MAC, but since pfsense is doing the routing the device was blocking another IP (the server) from using that mac.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.