OPNsense Forum

Hi,

I tried to setup monitoring for my opnsense 23.1. But all the firewall specific tables are not implemented any more. So support for enterprises.12325 (BEGEMOT MIB)  seems to be gone.

I found some posts having the same problem. So I just want to confirm that this SNMP agent is deprected and the new net-snmp does not provide any of the firewall related monitoring information. Or is it possible to connect via a subagent (AgentX), or similar.

Michael

I also find myself missing these SNMP values.  In my case for Zabbix monitoring...you can see in the Zabbix template (docs (https://www.zabbix.com/integrations/opnsense#opnsense_snmp)) that it uses many of these 12325 / BEGEMOT-MIB OIDs to report statistics.  I was planning to have a graph of IPv4 vs. IPv6 traffic but it appears that will not be simple.

The Zabbix template as it comes in the box generates errors for these items like this:

Cannot find index of "em0" in ".1.3.6.1.4.1.12325.1.200.1.8.2.1.2".
Cannot find index of "em1" in ".1.3.6.1.4.1.12325.1.200.1.8.2.1.2".

it looks like since 19.1 , bsnmp is superseded

https://forum.opnsense.org/index.php?topic=11398.msg51514#msg51514
(https://forum.opnsense.org/index.php?topic=11398.msg51514#msg51514)

has been discussed already

https://forum.opnsense.org/index.php?topic=19753.0
(https://forum.opnsense.org/index.php?topic=19753.0)

I'm dealing with Zabbix monitoring of OPNsense via snmp too these days.

T.

Hi,

I struggled as well to understand how to monitor my OPNSense using Zabbix and here is what worked for me.

Do not install any SNMP plugin (ie: os-net-snmp)
It will result in a conflict with bsnmp.

Steps on OPNSense

• Open an OPNSense console (CLI)
• Enable bsnmpd daemon by creating new config file "/etc/rc.conf.d/bsnmpd" with the following content :

bsnmpd_enable="YES"

• Uncomment the following lines in "/etc/snmpd.config" file to enable required SNMP modules:


read := "your_snmp_community"
begemotSnmpdModulePath."hostres" = "/usr/lib/snmp_hostres.so"
begemotSnmpdModulePath."pf" = "/usr/lib/snmp_pf.so"


• Start bsnmpd daemon with the following command:

/etc/rc.d/bsnmpd start

• Setup a firewall rule to get access from Zabbix proxy or Zabbix server by SNMP (https://docs.opnsense.org/manual/firewall.html).

   
Steps on Zabbix

• Create your host
• Link "OPNSense template" to your host
• Link "Template / Network devices" group to your host
• Configure name, IP etc. for your host
• Smile because it works.

Refence for above steps : https://www.zabbix.com/integrations/opnsense (https://www.zabbix.com/integrations/opnsense)

Hope this help.

Nice @gcorre !
Can you confirm that bsnmpd runs fine on the current OPNsense , please ?

Me personally, searched forums and got the impression, that bsnmpd is not preferred in OPNsense (since some troubles), however it is default in FreeBSD.
I took this Zabbix template (https://www.zabbix.com/integrations/opnsense) and disabled all those BEGEMOT-MIB items, and basically lost PF monitoring. Instead of BEGEMOT-MIB items for PF , I've tried collectd and Telegraf features to PF monitoring . Both output Prometheus format and so pluggable into Zabbix.

Well, for now, I use Telegraf's PF metrics via Prometheus output to Zabbix. The metrics include PF state table only, that is less  than BEGEMOT-MIB.

Cheers

Hello testo !

So far, so good, bsnmpd is working fine. The only issue is that bsnmp service does not show up in the GUI which is not optimal for checking its status.

I only found documentation around snmp plugin for opnsense but they were not compatible with BEGEMOT-MIB. That's why I tried bsnmp with the same zabbix template as yours (https://www.zabbix.com/integrations/opnsense). And that's working perfectly fine.

Well I had to make one adjusment in this template otherwise interfaces weren't discover correctly.
Go to :

- Configuration / Templates / OPNSENSE SNMP / MACROS
- Change the value of the field {$NET.IF.IFADMINSTATUS.MATCHES} to ^·*

I contacted the author and he may have already changed it!

Cheers

Are you able to get good data from 23.7? I am showing alot of No Such Object available on this agent at this OID when using this template.

Quote from: gcorre on September 21, 2023, 05:58:06 PM
Hi,

I struggled as well to understand how to monitor my OPNSense using Zabbix and here is what worked for me.

Do not install any SNMP plugin (ie: os-net-snmp)
It will result in a conflict with bsnmp.

Steps on OPNSense

• Open an OPNSense console (CLI)
• Enable bsnmpd daemon by creating new config file "/etc/rc.conf.d/bsnmpd" with the following content :

Code Select Expand

bsnmpd_enable="YES"

• Uncomment the following lines in "/etc/snmpd.config" file to enable required SNMP modules:

Code Select Expand


read := "your_snmp_community"
begemotSnmpdModulePath."hostres" = "/usr/lib/snmp_hostres.so"
begemotSnmpdModulePath."pf" = "/usr/lib/snmp_pf.so"


• Start bsnmpd daemon with the following command:

Code Select Expand

/etc/rc.d/bsnmpd start

• Setup a firewall rule to get access from Zabbix proxy or Zabbix server by SNMP (https://docs.opnsense.org/manual/firewall.html).

   
Steps on Zabbix

• Create your host
• Link "OPNSense template" to your host
• Link "Template / Network devices" group to your host
• Configure name, IP etc. for your host
• Smile because it works.

Refence for above steps : https://www.zabbix.com/integrations/opnsense (https://www.zabbix.com/integrations/opnsense)

Hope this help.

Was following your instructions, as I had os-net-snmp loaded as a plugin. I removed it but Zabbix is now complaining that there is no SNMP collection. I validated bsnmpd is running, so not sure why this is happening?

I am a bit behind schedule for updating. My OPNsense is still in 23.4.

I will wait for 24.1 before upgrading and hope that it still works...

Are you sure that you have the same community configured between your OPNsense and Zabbix?
Have you restarted bsnmpd ?

Quote from: gcorre on November 20, 2023, 01:59:48 PM
I am a bit behind schedule for updating. My OPNsense is still in 23.4.

I will wait for 24.1 before upgrading and hope that it still works...

Are you sure that you have the same community configured between your OPNsense and Zabbix?
Have you restarted bsnmpd ?

Could you provide a screenshot of the OPNsense rule you have setup for this? I am missing this and wonder if that is the missing link.

Zabbix is in my PRODUCTION network and is communicating with OPNsense in ADMINISTRATION network.

From PRODUCTION to ADMINISTRATION : check attachment.
From ADMINISTRATION to PRODUCTION : check attachment.

"Services_Supervision" = ports 10050 and 10051.

If you want to be sure that it's not a rule issue, you could allow all communication between zabbix and your OPNsense but don't forget to be more restrictive once your test is over.

Logs are your friend as well ;)

Yes I got the General log open and noticing that SNMPD does not start, even if the plugin shows green in the GUI. I am trying to find out why its not starting. More to come...

I'm not sure which plugin you are using, here is mine : (attachment).

I just remember that I had an issue between os-net-snmp plugin and bsmpd.

When os-net-snmpd was installed it was listenning on port 161 and when I started bsnmpd it said "Starting bsnmpd." But it did not started as the port was already in use.

net-snmp and bsnmpd are two DIFFERENT snmpd applications. Both run on port 161/udp and are in conflict with one another. Why is this important?  The plugin that is the currently supported SNMPd system is the UCD-snmp application (now called net-snmpd). The OS level plugin (bsnmpd) included the BEGEMOT-PF-MIB with it that allows for a ton of performance monitoring, alerting on failed applications, etc.  Most of these options were not duplicated with the net-snmpd plugin (there are other threads on the missing Enterprise level monitoring that disappeared with this change).

I've personally been experimenting trying to get one of the daemons to run on a non-standard port so that I can make use of both but so far am running into other problems/issues.

Note that despite multiple requests, there still is no published documentation on what MIBs the net-snmpd plugin is presenting and I didn't have the time to go thru the source code of the pluging to see what is being incorporated.

Monitoring and alerting of these things from an Enterprise level has not been a priority for the development team. I can understand why, but it has relegated this product to the back seat for many of our suggested customer deployments due to the inability to alert based on off the shelf monitoring and alerting systems.

Marcos

Quote from: mdella on May 29, 2024, 09:35:07 PM
net-snmp and bsnmpd are two DIFFERENT snmpd applications. Both run on port 161/udp and are in conflict with one another. Why is this important?  The plugin that is the currently supported SNMPd system is the UCD-snmp application (now called net-snmpd). The OS level plugin (bsnmpd) included the BEGEMOT-PF-MIB with it that allows for a ton of performance monitoring, alerting on failed applications, etc.  Most of these options were not duplicated with the net-snmpd plugin (there are other threads on the missing Enterprise level monitoring that disappeared with this change).

I've personally been experimenting trying to get one of the daemons to run on a non-standard port so that I can make use of both but so far am running into other problems/issues.

Note that despite multiple requests, there still is no published documentation on what MIBs the net-snmpd plugin is presenting and I didn't have the time to go thru the source code of the pluging to see what is being incorporated.

Monitoring and alerting of these things from an Enterprise level has not been a priority for the development team. I can understand why, but it has relegated this product to the back seat for many of our suggested customer deployments due to the inability to alert based on off the shelf monitoring and alerting systems.

Marcos

Could not agree more! I am using Opnsense in one production deployment but since I cannot monitor the services of OPNsense I will not put ot out anywhere else. This needs to get solved!

Quote from: mdella on May 29, 2024, 09:35:07 PM
Note that despite multiple requests, there still is no published documentation on what MIBs the net-snmpd plugin is presenting and I didn't have the time to go thru the source code of the pluging to see what is being incorporated.

Are you really requesting that OPNsense duplicate all the documentation that already exists? Just like with NginX or  HAproxy or NUT the net-snmp plugin simply integrates the standard open source SNMP suite.

The full documentation can be found here: http://www.net-snmp.org/docs/readmefiles.html
And specifically the list of implemented MIBs in the agent here: http://www.net-snmp.org/docs/README.agent-mibs.html

I am aware of the lack of BEGEMOT-PF-MIB but how do you suggest to get that integrated? Fork the net-snmp project?

I use Observium as an NMS and I have had way better (read: more consistent and meaningful) results specifically for the HOST-RESOURCES-MIB compared to bsnmpd.

bsnmpd is highly FreeBSD specific and development seems to have somewhat stalled. net-snmp is the standard suite everybody including Linux uses.

Perhaps I am really missing something? What "performance monitoring" is there in bsdnmpd that isn't in net-snmp? I am interested in RAM/swap, CPU, disk utilisation, ... the regular stuff you monitor for a host. And I am perfectly content with what Observium presents me in the UI.

I can only speak for myself. I use Zabbix and there is no way to monitor services that are not OS level. Items like DNS, DHCP, and other 'application' services were available with SNMP and Begemot, but no longer available.

If we want to use OPNsense in prod environments we must be able to monitor every major service on OPNsense.

If you have a solution I am happy to hear about.

Doesn't the Zabbix agent running on OPNsense provide that?

Other than that what we do are active checks for all the service we provide, e.g. with Icinga2.

Check if DNS is running - throw a request at the server. Etc.

No it only provides OS level monitoring. It goes no further.

From parsing the docs I got the impression that Zabbix can do everything Icinga and Nagios can do, too.

If you mean "just connect the agent and everything works", you are probably right. But you can write your own templates to monitor whatever you like.

Yes I could write my own template but that's why the snmp option was enticing.

Quote from: gcorre on November 23, 2023, 05:38:14 PM
I just remember that I had an issue between os-net-snmp plugin and bsmpd.

When os-net-snmpd was installed it was listenning on port 161 and when I started bsnmpd it said "Starting bsnmpd." But it did not started as the port was already in use.

Did you check if another service was already listening on port 161?
That is why I was unable to launch bsnmpd. I had to kill the process (I don't remember the name of the process).

This is all rather confusing. bsnmpd is no longer supported but ships with OpnSense? OK...
At what point are the bsnmpd scripts and binaries going to disappear?

bsnmpd is part of the FreeBSD base system. OPNnsense does not use it but the more widely used and better supported net-snmp package instead. Just install the plugin and enjoy.

I monitor all my devices with Observium and all of them use net-snmp if they are in any way Unix-y.

Supported in what sense? If it's still present and works then that'll do for me.
bsnmpd provides features that the Zabbix agent and net-snmpd does not - notably, sensible names for interfaces and firewall metrics.

Supported by third party network management systems. The host resources MIB works way better at least for me.

Would you do me a favour? Run an snmpwalk of a firewall with bsnmpd running and send me the part with the firewall metrics in a DM?

I'm interested what OIDs they use. Because another advantage of net-snmp is: it can be extended by mere configuration and a shell script. See my howto I am linking in the Observium thread.

So maybe I can retrofit the firewall metrics into net-snmp ...

Yeah, you're right, bsnmpd does not return much useful for system resources.
So I had a test firewall set up with both bsnmpd and Zabbix agent, so we had interface traffic and systems resources.
Unfortunately it looks like /etc/snmpd.config got overwritten by an update [or something - it happened when I was on holiday so must have been a colleague] and was reverted to the default community string, etc. Not sure if this is the expected behaviour but if bsnmpd is "unsupported" then I guess I can expect the unexpected?!

The config file is part of the regular system baseline and if not managed by OPNsense (which it isn't) overwritten with the default version by every update.

Would you be so kind and send me the snmpwalk output I asked for? I'm looking into a way to implement the pf metrics in net-snmpd but without knowing what they actuallly look like that's difficult.

Just trying to find somewhere to put this...too big for pastebin, no attachments on here.

Probably more straightforward to just look here tbh:

https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/opnsense_snmp/template_app_opnsense_snmp.yaml?at=release%2F7.0

Search that page for 1.3.6.1.4.1.12325 and you will see the OIDs of interest collected by Zabbix.
I don't have the Begamot MIB installed so the 22k lines of snmpwalk output I have doesn't actually describe the metrics!

Thanks. I wasn't interested in 22k lines, only in the pf metric related ones  ;)

Comparing net-snmp and bsnmpd monitored systems side-by-side on LibreNMS, both actually provide info on system resources, so it seems like the Zabbix template is missing some OIDs in this regard.
To be clear, the screenshots are about two different systems,not the same system being monitored with different SNMP agents.
LibreNMS recognises the net-snmp one as OpnSense and bsnmpd as FreeBSD.