Bridge and SNMP problem

johbra

I've noticed what seems like a bug when SNMP polling a pfsense 2.0 release over OpenVPN?

The setup was that a server was SNMP polling the LAN interface address of a pfsense over OpenVPN. What i could see was that:

1. The SNMP server asked the pfSense on the LAN interface address.
2. pfSense answered from the OpenVPN interface address (this causes firewall problems).

I then tried to click the "Bind to LAN interface only " button but that only made it worse, pfSense didn't answer at all then.

The LAN interface address of the pfSense is assigned to a bridge (named "LAN") consisting of two bridged ports (the ports don't have an IP address). My guess is that this is preventing the SNMP service to answer through the LAN interface.

Though, I managed to do a workaround and poll the OpenVPN address of the pfSense. This caused pfSense to get SNMP requests and answer from the same IP address (nicer on statefull firewalls) and that solved it for me.

jimp

I'm not entirely sure that could be considered a bug… sort of a quirk in how SNMP in general works. If it gets a query from an IP in a subnet that is directly connected, it will probably respond from that IP rather than the IP you queried, since it's a more direct path.

It's always best to talk to the IP "closest" to you when possible.