NET-SNMP Package Now Available for pfSense 2.4 (SNMPv3, TLS, IPv6, and more)


  • Rebel Alliance Developer Netgate

    A package for NET-SNMP is now available for pfSense 2.4 which controls the NET-SNMP project snmpd agent and snmptrapd application.

    The NET-SNMP daemon offers a number of advantages over the built-in bsnmpd, notably:

    • SNMPv3 support
        * Proper authentication: username/password, TLS certificate
        * Encrypted transport: privacy protocol w/passphrase, TLS encryption
    • IPv6 support for SNMPv1, v2c, and 3.
    • Users and Communities can be limited to specific parts of the OID tree
    • Community access can be restricted by source address or subnet
    • Extendable via custom commands
    • SNMP Trap generation controls
        * Supports a number of different destinations and types
        * Supports custom monitor expressions
    • SNMP Trap receiver daemon (snmptrapd)
        * Can log traps, execute programs for traps, or forward traps to other devices
    • Advanced configuration pass-through for snmpd and snmptrapd directives not found in the GUI

    Disadvantages:

    • No direct access to pf information
    • Increased memory consumption (Not major on modern hardware, ~8-20MB more)


  • @jimp:

    • No direct access to pf information

    Is this planned for a future release or will we have to use net-snmp as a proxy for bnsmpd?


  • Rebel Alliance Developer Netgate

    We'd like to see it included, but there would have to be a module or patch for net-snmp to add the code to get the data. The only one I've seen is >10yrs old. Depending on what you need, it may be scriptable with extend entries.



  • @jimp:

    We'd like to see it included, but there would have to be a module or patch for net-snmp to add the code to get the data. The only one I've seen is >10yrs old. Depending on what you need, it may be scriptable with extend entries.

    The most useful values for me are "Current/Max States" and "Current/Max MBUFs".


  • Rebel Alliance Developer Netgate

    Those are simple to do via extend entries. In NET-SNMP, on the Host Information tab.

    I whipped this up in a few moments on a test VM:

    : cat /root/snmp_curstates.sh
    #!/bin/sh
    /sbin/pfctl -si | /usr/bin/grep -A1 'State Table' | /usr/bin/tail -1 | /usr/bin/awk '{print $3;}'
    : cat /root/snmp_maxstates.sh
    #!/bin/sh
    /sbin/pfctl -sm | /usr/bin/grep 'states' | /usr/bin/awk '{print $4;}'
    

    (The scripts must be executable!)

    : grep 'extend.*states' /var/etc/netsnmpd.conf 
    extend  curstates /root/snmp_curstates.sh 
    extend  maxstates /root/snmp_maxstates.sh 
    

    (These entries are in the GUI as extend entries, using only the Name and Program fields)

    And then from a client:

    $ snmpget bill nsExtendOutputFull.\"curstates\"
    NET-SNMP-EXTEND-MIB::nsExtendOutputFull."curstates" = STRING: 13
    $ snmpget bill nsExtendOutputFull.\"maxstates\"
    NET-SNMP-EXTEND-MIB::nsExtendOutputFull."maxstates" = STRING: 33000
    
    


  • Great, thanks!

    This reminds me that I have been using something like this for MBUFs with Zabbix all along. Those can easily be adapted to be used with net-snmp I guess. So if someone needs them:

    UserParameter=sysstat.mbuf.curr,/usr/bin/netstat -mb | /usr/bin/grep "mbuf clusters in use" | /usr/bin/awk '{ print $1 }' | cut -d"/" -f1
    UserParameter=sysstat.mbuf.cache,/usr/bin/netstat -mb | /usr/bin/grep "mbuf clusters in use" | /usr/bin/awk '{ print $1 }' | cut -d"/" -f2
    UserParameter=sysstat.mbuf.total,/usr/bin/netstat -mb | /usr/bin/grep "mbuf clusters in use" | /usr/bin/awk '{ print $1 }' | cut -d"/" -f3
    UserParameter=sysstat.mbuf.max,/usr/bin/netstat -mb | /usr/bin/grep "mbuf clusters in use" | /usr/bin/awk '{ print $1 }' | cut -d"/" -f4
    

  • Banned

    @jimp: Impressive package (incl. those ~500 lines of input validation code, LOL  :D) Definitely a huge improvement compared to bnsmpd.  8)

    Will need to play with that when I have more time.


  • Rebel Alliance Developer Netgate

    Thanks!

    And yeah, that input validation code kind of grew and grew as I went on, but I wanted to make sure things were done right from the start. As much as possible anyhow, there are still a number of fields that are impossible to properly validate as it is.

    It's a lot easier to work with and expand than bsnmpd, I just wish there was an up-to-date patch or module for accessing pf counters without having to script it.


  • Banned

    @jimp:

    I just wish there was an up-to-date patch or module for accessing pf counters without having to script it.

    Hmmm… https://www.packetmischief.ca/openbsd-snmp-mibs/ has been maintained up to ~2012 (OpenBSD 5.1). Not sure how much usable that is.


  • Rebel Alliance Developer Netgate

    That's the one I was looking at. They migrated their code to bsnmpd and left net-snmp behind. Which isn't surprising given that they were focused on OpenBSD, but bsnmpd isn't all it's cracked up to be.

    We could run them both together and proxy over the requests for the pf-specific parts but I'm not too crazy about that idea.


  • Banned

    Yeah, no longer maintained, but the pf parts for net-snmp seem to be from 2011-2012… would not seem so hopelessly outdated to port over. Proxying, yeah, not excited about that either.



    • No direct access to pf information

    What sort of information does this include?

    I plan to run snmpd on my pfSense unit but I have a decision to make bsnmpd or net-snmp.  The latter is my preference as I use that on dozens of server's so am used to it.


  • Rebel Alliance Developer Netgate

    Things like state table size, altq information, various packet info counters tracked by pf, state table metadata… Here's the MIB from bsnmpd so you can see what's in it: http://files.atx.pfsense.org/jimp/mibs/BEGEMOT-PF-MIB.txt



  • Does this mean Observium (supports basically NET-SNMP for servers) can be used for detailed Pfsense monitoring? This sound very promising, as BSNMPd was providing limited  information. Looking forward to try on a productive system.


  • Rebel Alliance Developer Netgate

    I don't use observium but if it has profiles for NET-SNMP then it should be able to get anything it would usually get for a NET-SNMP host from it.



  • hmm, I finally got round to playing with this.

    I did a full snmpwalk on bnsmpd data but no pf data to be found.

    I may just use extend with net-snmpd instead.


  • Rebel Alliance Developer Netgate

    @chrcoluk:

    I did a full snmpwalk on bnsmpd data but no pf data to be found.

    I may just use extend with net-snmpd instead.

    That's correct, net-snmpd has no special knowledge of pf. There is no current/supported net-snmp module for FreeBSD that can interface with pf. You could use some extend entries to call various pfctl commands to gather info, depending on what you need/want.



  • it was bsnmpd running on pfsense when I ran the snmpwalk.

    Also a suggestion for the net-snmp package

    You use the flags -Ls but this floods the log everytime a snmpd server connects, I suggest changing to -LF 0-4 I already patched my local pfsense.

    root@PFSENSE pkg # ps axww | grep snmp
    78025  -  S        0:29.48 /usr/local/sbin/snmpd -LF 0-4 d -p /var/run/net_snmpd.pid -M /usr/share/snmp/mibs/:/usr/local/share/snmp/mibs -C -c /var/etc/netsnmpd.conf,/var/etc/netsnmpd-users.conf
    


  • thx for this tip, my logs were being spammed also. Any idea idea if this will be rolled into a future upgrade?

    For anyone else who needs to make the change, edit line 590 of /usr/local/pkg/net-snmp.inc
    from

    /usr/local/sbin/snmpd -Ls d \
    

    to

    /usr/local/sbin/snmpd -LF 0-4 d \
    


  • Thanks for the tip about changing that line to reduce Log Spam.


Log in to reply