Monitoring FRR BGP/OSPF peering status via SNMP

is-is

Hello fine Netgate folks. Long time lurker, first time poster.....

I've deployed several pfSense boxes over the years, but always as just a firewall.

I recently deployed pfSense and FRR, using both BGP and OSPF. We typically monitor our BGP and OSPF peering via Nagios and Observium, however this didn't work out of the box.

i disabled bsnmpd and installed net-snmp, which is up and pollable, but that wasn't enough. I'm trying to understand what I need to troubleshoot this further.

I see that net-snmp supports the AgentX protocol. I see that FRR supports the AgentX protocol (if compiled in). I also see FRR supports the BGP-4 and OSPF MIBs in their git repository.

AgentX appears to already be enabled in net-snmp. I manually enabled it to the frr conf files and restarted zebrad, bgpd and snmpd just for good measure.

[2.4.4-RELEASE][admin@pfSense.localdomain]/: cat /var/etc/netsnmpd.conf | grep agentx
master agentx

[2.4.4-RELEASE][admin@pfSense.localdomain]/var/etc/frr: grep agentx bgpd.conf zebra.conf 
bgpd.conf:agentx
zebra.conf:agentx

I think this should be enough to have this work, but it doesn't. Per the FRR documentation, I should be seeing something like this in logging:

012/05/25 11:39:08 ZEBRA: snmp[info]: NET-SNMP version 5.4.3 AgentX subagent connected

My questions are:

• Has anyone else already done this on pfSense?
• Is the frr package in pfSense compiled with snmp support?
• Am I missing something else obvious?

I'm running:

• pfsense: 2.4.4-RELEASE-p2 (amd64)
• frr net: 0.2_8, which depends on frr5-5.0.2
• net-snmp: 0.1.5_2, which net-snmp-5.7.3_18

Many thanks!

is-is

Upon further investigation, and finding this thread:

https://github.com/FRRouting/frr/issues/1617

I was able to confirm that the frr package in pfSense is not compiled with support for snmp:

[2.4.4-RELEASE][admin@pfSense.localdomain]/var/agentx: vtysh

Hello, this is FRRouting (version 5.0.2).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

pfSense.localdomain# show modules
Module information for zebra:
Module Name  Version                   Description

libfrr       5.0.2                     libfrr core module
zebra        5.0.2                     zebra daemon

Module information for bgpd:
Module Name  Version                   Description

libfrr       5.0.2                     libfrr core module
bgpd         5.0.2                     bgpd daemon

pfSense.localdomain#

According to the ouput in the link, there should be a lines that look like this:

zebra_snmp   5.0.2   zebra AgentX SNMP module
bgpd_snmp    5.0.2   bgpd AgentX SNMP module

It also appears net-snmpd is creating the Agent socket with permissions that wouldn't allow the frr user to connect, even if snmpd support was compiled in:

[2.4.4-RELEASE][admin@pfSense.localdomain]/var/agentx: ps aux | grep frr
frr    55620   0.0  0.6  12232   6496  -  Is   18:17       0:00.01 /usr/local/sbin/zebra -d -f /var/etc/frr/zebra.conf
frr    56009   0.0  1.0  21588   9668  -  Is   18:17       0:00.01 /usr/local/sbin/bgpd -d -f /var/etc/frr/bgpd.conf

[2.4.4-RELEASE][admin@pfSense.localdomain]/var/agentx: ls -l
total 0
srwxr-xr-x  1 root  wheel  0 May 10 15:17 master

I chmod 777'ed it just an experiment, but still no joy.

So where do I go from here? Two feature requests on Redmine? A feature request and a bug? I'd like to think that Netgate would be very interested in addressing these two issues, as it's highly desirable functionality (SNMP monitoring) of one of the core uses cases for pfSense (BGP/OSPF routing).

Thanks again!