Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NET-SNMP Package Now Available for pfSense 2.4 (SNMPv3, TLS, IPv6, and more)

    2.4 Development Snapshots
    7
    20
    8603
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimp
      jimp Rebel Alliance Developer Netgate last edited by

      A package for NET-SNMP is now available for pfSense 2.4 which controls the NET-SNMP project snmpd agent and snmptrapd application.

      The NET-SNMP daemon offers a number of advantages over the built-in bsnmpd, notably:

      • SNMPv3 support
          * Proper authentication: username/password, TLS certificate
          * Encrypted transport: privacy protocol w/passphrase, TLS encryption
      • IPv6 support for SNMPv1, v2c, and 3.
      • Users and Communities can be limited to specific parts of the OID tree
      • Community access can be restricted by source address or subnet
      • Extendable via custom commands
      • SNMP Trap generation controls
          * Supports a number of different destinations and types
          * Supports custom monitor expressions
      • SNMP Trap receiver daemon (snmptrapd)
          * Can log traps, execute programs for traps, or forward traps to other devices
      • Advanced configuration pass-through for snmpd and snmptrapd directives not found in the GUI

      Disadvantages:

      • No direct access to pf information
      • Increased memory consumption (Not major on modern hardware, ~8-20MB more)

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • A
        athurdent last edited by

        @jimp:

        • No direct access to pf information

        Is this planned for a future release or will we have to use net-snmp as a proxy for bnsmpd?

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          We'd like to see it included, but there would have to be a module or patch for net-snmp to add the code to get the data. The only one I've seen is >10yrs old. Depending on what you need, it may be scriptable with extend entries.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • A
            athurdent last edited by

            @jimp:

            We'd like to see it included, but there would have to be a module or patch for net-snmp to add the code to get the data. The only one I've seen is >10yrs old. Depending on what you need, it may be scriptable with extend entries.

            The most useful values for me are "Current/Max States" and "Current/Max MBUFs".

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              Those are simple to do via extend entries. In NET-SNMP, on the Host Information tab.

              I whipped this up in a few moments on a test VM:

              : cat /root/snmp_curstates.sh
              #!/bin/sh
              /sbin/pfctl -si | /usr/bin/grep -A1 'State Table' | /usr/bin/tail -1 | /usr/bin/awk '{print $3;}'
              : cat /root/snmp_maxstates.sh
              #!/bin/sh
              /sbin/pfctl -sm | /usr/bin/grep 'states' | /usr/bin/awk '{print $4;}'
              

              (The scripts must be executable!)

              : grep 'extend.*states' /var/etc/netsnmpd.conf 
              extend  curstates /root/snmp_curstates.sh 
              extend  maxstates /root/snmp_maxstates.sh 
              

              (These entries are in the GUI as extend entries, using only the Name and Program fields)

              And then from a client:

              $ snmpget bill nsExtendOutputFull.\"curstates\"
              NET-SNMP-EXTEND-MIB::nsExtendOutputFull."curstates" = STRING: 13
              $ snmpget bill nsExtendOutputFull.\"maxstates\"
              NET-SNMP-EXTEND-MIB::nsExtendOutputFull."maxstates" = STRING: 33000
              
              

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • A
                athurdent last edited by

                Great, thanks!

                This reminds me that I have been using something like this for MBUFs with Zabbix all along. Those can easily be adapted to be used with net-snmp I guess. So if someone needs them:

                UserParameter=sysstat.mbuf.curr,/usr/bin/netstat -mb | /usr/bin/grep "mbuf clusters in use" | /usr/bin/awk '{ print $1 }' | cut -d"/" -f1
                UserParameter=sysstat.mbuf.cache,/usr/bin/netstat -mb | /usr/bin/grep "mbuf clusters in use" | /usr/bin/awk '{ print $1 }' | cut -d"/" -f2
                UserParameter=sysstat.mbuf.total,/usr/bin/netstat -mb | /usr/bin/grep "mbuf clusters in use" | /usr/bin/awk '{ print $1 }' | cut -d"/" -f3
                UserParameter=sysstat.mbuf.max,/usr/bin/netstat -mb | /usr/bin/grep "mbuf clusters in use" | /usr/bin/awk '{ print $1 }' | cut -d"/" -f4
                
                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned last edited by

                  @jimp: Impressive package (incl. those ~500 lines of input validation code, LOL  :D) Definitely a huge improvement compared to bnsmpd.  8)

                  Will need to play with that when I have more time.

                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    Thanks!

                    And yeah, that input validation code kind of grew and grew as I went on, but I wanted to make sure things were done right from the start. As much as possible anyhow, there are still a number of fields that are impossible to properly validate as it is.

                    It's a lot easier to work with and expand than bsnmpd, I just wish there was an up-to-date patch or module for accessing pf counters without having to script it.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned last edited by

                      @jimp:

                      I just wish there was an up-to-date patch or module for accessing pf counters without having to script it.

                      Hmmm… https://www.packetmischief.ca/openbsd-snmp-mibs/ has been maintained up to ~2012 (OpenBSD 5.1). Not sure how much usable that is.

                      1 Reply Last reply Reply Quote 0
                      • jimp
                        jimp Rebel Alliance Developer Netgate last edited by

                        That's the one I was looking at. They migrated their code to bsnmpd and left net-snmp behind. Which isn't surprising given that they were focused on OpenBSD, but bsnmpd isn't all it's cracked up to be.

                        We could run them both together and proxy over the requests for the pf-specific parts but I'm not too crazy about that idea.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned last edited by

                          Yeah, no longer maintained, but the pf parts for net-snmp seem to be from 2011-2012… would not seem so hopelessly outdated to port over. Proxying, yeah, not excited about that either.

                          1 Reply Last reply Reply Quote 0
                          • C
                            chrcoluk last edited by

                            • No direct access to pf information

                            What sort of information does this include?

                            I plan to run snmpd on my pfSense unit but I have a decision to make bsnmpd or net-snmp.  The latter is my preference as I use that on dozens of server's so am used to it.

                            pfSense 2.6.0 - ISP AAISP UK

                            1 Reply Last reply Reply Quote 0
                            • jimp
                              jimp Rebel Alliance Developer Netgate last edited by

                              Things like state table size, altq information, various packet info counters tracked by pf, state table metadata… Here's the MIB from bsnmpd so you can see what's in it: http://files.atx.pfsense.org/jimp/mibs/BEGEMOT-PF-MIB.txt

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • V
                                Viktor last edited by

                                Does this mean Observium (supports basically NET-SNMP for servers) can be used for detailed Pfsense monitoring? This sound very promising, as BSNMPd was providing limited  information. Looking forward to try on a productive system.

                                1 Reply Last reply Reply Quote 0
                                • jimp
                                  jimp Rebel Alliance Developer Netgate last edited by

                                  I don't use observium but if it has profiles for NET-SNMP then it should be able to get anything it would usually get for a NET-SNMP host from it.

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    chrcoluk last edited by

                                    hmm, I finally got round to playing with this.

                                    I did a full snmpwalk on bnsmpd data but no pf data to be found.

                                    I may just use extend with net-snmpd instead.

                                    pfSense 2.6.0 - ISP AAISP UK

                                    1 Reply Last reply Reply Quote 0
                                    • jimp
                                      jimp Rebel Alliance Developer Netgate last edited by

                                      @chrcoluk:

                                      I did a full snmpwalk on bnsmpd data but no pf data to be found.

                                      I may just use extend with net-snmpd instead.

                                      That's correct, net-snmpd has no special knowledge of pf. There is no current/supported net-snmp module for FreeBSD that can interface with pf. You could use some extend entries to call various pfctl commands to gather info, depending on what you need/want.

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        chrcoluk last edited by

                                        it was bsnmpd running on pfsense when I ran the snmpwalk.

                                        Also a suggestion for the net-snmp package

                                        You use the flags -Ls but this floods the log everytime a snmpd server connects, I suggest changing to -LF 0-4 I already patched my local pfsense.

                                        root@PFSENSE pkg # ps axww | grep snmp
                                        78025  -  S        0:29.48 /usr/local/sbin/snmpd -LF 0-4 d -p /var/run/net_snmpd.pid -M /usr/share/snmp/mibs/:/usr/local/share/snmp/mibs -C -c /var/etc/netsnmpd.conf,/var/etc/netsnmpd-users.conf
                                        

                                        pfSense 2.6.0 - ISP AAISP UK

                                        1 Reply Last reply Reply Quote 0
                                        • Q
                                          q54e3w last edited by

                                          thx for this tip, my logs were being spammed also. Any idea idea if this will be rolled into a future upgrade?

                                          For anyone else who needs to make the change, edit line 590 of /usr/local/pkg/net-snmp.inc
                                          from

                                          /usr/local/sbin/snmpd -Ls d \
                                          

                                          to

                                          /usr/local/sbin/snmpd -LF 0-4 d \
                                          
                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            Napsterbater last edited by

                                            Thanks for the tip about changing that line to reduce Log Spam.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post