OPNsense Forum
Archive => 22.1 Legacy Series => Topic started by: PerpetualNewbie on April 03, 2022, 02:05:11 pm
-
(Though I was able to get SNMPv1 and SNMPv3 to work for me, lack of support for AES in NUT to my UPS Network Managament Card caused me to switch to USB: https://forum.opnsense.org/index.php?topic=27936.msg135580#msg135580 )
I'm going to try to post a mini HowTo for setting up an OPNSense 22.1.4_1 to use SNMPv1 or SNMPv3 using Nut to talk to a UPS device with a NIC and support for SNMPv1 or SNMPv3. I hope this works.
This may include multiple posts in the same thread in order to have context for each attachment.
It looks like images do not load unless you are logged into these forums.
Step 1:
https://docs.opnsense.org/manual/how-tos/nut.html
In order to support SNMP-Driver, on OPNSense, login to the web interface.
System -> Firmware -> Plugins:
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21445;image)
Now, right frame, choose to "+" install "os-nut":
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21446;image)
Refresh web page after install, Scroll down to "Services" and check for:
Services -> Nut -> Configuration
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21448;image)
In the right-frame, specify your Desired IP address for nut service, and name the UPS configuration to use.
To avoid problems, try using a name without any white-spaces, and limit the name to alpha-numerics with underscore, hyphen, and periods.
(Sorry, I edited the image incorrectly: the Field with the IP Address should be the name of the UPS and where I put the name of the UPS should be the IP Address you want Nut to use.)
-
Next, for this example, the UPS I'm using has a "Schneider Electronics" add-on card, with web services, and limited support for SNMPv1 and SNMPv3. How you configure your UPS network services to enable SNMPv1 and/or SNMPv3 will likely be different.
Configuration -> Network -> SNMPv1 -> Access
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21459;image)
Choose to enable SNMPv1
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21461;image)
Once the service is enabled for this Network Management Card, there is a notice the NMC needs to be rebooted, but that can be dealt with after all configurations are changed:
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21465;image)
Configuration -> Network -> SNMPv1 -> Access Control
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21463;image)
-
Still on the UPS SNMPv1 configuration, we are now on a page loaded from a visit to:
Configuration -> Network -> SNMPv1 -> Access Control
At a minimum, you need a user / community with read access, and a good default name for read-only is "public" so first, alter an entry to have a "public" with "read" access enabled.
Next, add another user / community called "private" and give it "write" access, but here is the choice:
From what I can tell, write access is only really if you want to control your UPS from an SNMP client, so you can leave this "private" disabled if you don't need that, or enable that if you want to play with that:
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21478;image)
Next, for testing, we will also enable SNMPv3 on this device:
Configuration -> Network -> SNMPv3 -> Access
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21480;image)
Choose to "enable" and save:
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21482;image)
Then we will visit the SNMPv3 User Profiles:
Configuration -> Network -> SNMPv3 -> User Profiles
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21484;image)
-
Here, I choose a user profile to configure for access (username).
In this case, I have created 2 users, both which use SHA1 (instead of MD5 or none) for auth, but one uses DES for encryption while the other uses AES for encryption and each have different usernames:
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21486;image)
Here is what a user configuration screen would look like:
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21488;image)
You would want to specify your own username and a more random "Authentication Passphrase" and "Privacy Pasphrase" : In this case, these settings are for the user account that uses AES. You can create an account that uses AES if you want to, but...
FOR FIRST TESTS, CHOOSE "DES" NOT AES.
(I've seen problems with nut talking AES from OPNSense, even through all other things being equal, DES works fine.)
Next, Visit Configuration -> Network -> SNMPv3 -> Access Control
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21490;image)
It is possible and likely that the Network Management Card I am testing supports a strange variation of AES whcih snmpwalk and others support, but "nut" does not.
Another note for this UPS Network Management Card:
* User Password form is limited to 32 characters.
* Encryption password is limited to 32 characters.
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21492;image)
-
Under the Access Control page for SNMPv3, you can choose to "enable" the account and save.
Enable each account you want to use or test.
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21494;image)
Once all of the configuration changes are complete, for this network management card, I need to reboot the card services for the changes to take effect:
Control -> Network -> Reset/Reboot
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21496;image)
Choose just the radio button for "Reboot Management Interface" : for this UPS, this only reboots the Netowrk Management interface, it does not reboot (power cycle) the whole UPS.
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21498;image)
After agreeing to a confirmation page, then a few minutes, the enabled SNMPv1 and SNMPv3 services should be active. Verify as needed.
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21500;image)
-
Now that the UPS Network services support SNMPv1 and SNMPv3, we can first walk through enabling the simpler and less secure SNMPv1 and once that is working, try to setup SNMPv3.
Services -> Nut -> Configuration:
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21502;image)
The default page drops you in a view of the "General Settings" Tab.
Choose to
Set Service Mode to "netclient"
Specify a name for your UPS, but avoid whitepaces. Maybe start with just alpha-numerics, underscore, hyphen and periods.
Specify the IP address you want to use for OPNSent nut service with your UPS network service with SNMPv1 and/or SNMPv3 support.
Locate the "down-arrow" in the tab for "UPS Type" and select it to reveal a drop-down menu:
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21504;image)
Select "SNMP-Driver" in the drop-down menu.
New page which allows you to configure the SNMP-Driver for either SNMPv1 or SNMPv3
Example for SNMPv1:
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21506;image)
Example for SNMPv3:
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21508;image)
-
For SNMP-Driver, page, you choose:
HINT: to avoid problems, review your list of available drivers for nut, and visit each one. You should only enable ONE AT A TIME. Please disable any other nut drivers and apply that change for each when testing SNMP, or you may risk problems. After you have everything working for SNMP, then you can experiment with other drivers being concurrent with the SNMP-driver.
For "Extra Arguments" the minimum to include are:
port=Your_SNMP_Server_IP_Address:SNMP_PORT_NUMBER
The "SNMP_PORT NUMBER" (161) is optional, so you could just specify:
port=Your_SNMP_Server_IP_Address
Next, you need to specify the "Community" which is like a username. For the previous examples using a Schneider Electric network management card, I create a community for SNMPv1 called "public" with read-only access, so I use that same name "public" for my community name here:
community=public
The included item "snmp_version" is not required as of this writing, but I've included it here to be explicit:
snmp_version=v1
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21506;image)
Then choose "Apply".
Now, to see if it is working, visit:
Services -> Nut -> Diagnostics
If it is working, you should (in less than 10 seconds) see a collection of data which looks a lot like what you see when you snmpwalk a device: a bunch of MIB-like names with associated values:
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21510;image)
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21512;image)
-
Once you have it working for SNMPv1, you can try for SNMPv3.
Again, from the "SNMP-Driver" page, you make sure it is enabled:
- Enable
For "Extra Arguments" you remove "snmp_version=1" and remove "community=public" but keep the "port" value.
Then we need to add more:
snmp_version=v3 (this is required as of this writing as the default is v1 unless otherwise specified)
authProtocol=SHA (as of this writing, I was able to test "None" and "MD5" and "SHA" (SHA1) which all worked, only if the SNMP service on the UPS network device supported these.)
secLevel=authPriv (authPriv means you want an authentication process and an encryption process. Other choices are: noAuthNoPriv (default) , authNoPriv or authPriv : Each specify requirements for auth and/or encryption)
snmp_retries=5 (optional: included to show it is available)
snmp_timeout=2 (optional: included to show it is available)
pollfreq=30 (optional: included to show it is available)
privProtocol=DES (according to Nut docs and binary query, it supports either DES or AES, but trying to use AES as of April 3, 2022 results in failure and problems. On the same box, using "snmpwalk" with aes works fine against the same device and https://networkupstools.org/docs/man/snmp-ups.html claims that DES, AES, AES192, and AES256 are all supported by their source, but can vary depending on how the binary is built.)
authPassword=WhateverYouSpecifiedAsYourPassword
privPassword=WhateverYouSpecifiedAsYourEncryptionPassphrase
secName=TheProfileUsernameYourSetupOnYourSNMP_DeviceForYourUPS
Example:
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21514;image)
Then choose "Apply".
Now, to see if it is working, visit:
Services -> Nut -> Diagnostics
If it is working, you should (in less than 10 seconds) see a collection of data which looks a lot like what you see when you snmpwalk a device: a bunch of MIB-like names with associated values:
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21510;image)
(https://forum.opnsense.org/index.php?action=dlattach;topic=27776.0;attach=21512;image)
-
As for support of AES with Nut...
There appears to be either a bug in the present Nut which is being used, or a problem in how it is being built for the package.
On another "stock" FreeBSD box, and on a HardenedBSD box (latest 13, then default stable/master, did buildworld, kernel, install), I tested getting a copy of "ports" (latest git repo main) and then configure, build and install nut from ports.
As first pass, it seemed like maybe the issue was that maybe support for crypto libs was missing, so I tried building against OpenSSL (latest) but that didn't work, so I tried building against NSS, but that didn't resolve AES support. Last, I took the "kitchen sink" approach and enabled all the non-conflicting features to see if any of those resolved this issue with being broken for AES, but nope.
Each time I used a configured user that used AES for privacy (encryption) an attempt to start with it resulted in:
No supported device detected
Driver failed to start (exit status=1)
/usr/local/etc/rc.d/nut: WARNING: failed precmd routine for nut
If I edited the configuration and JUST change "AES" to "DES" and specified the UPS SNMP user that used DES instead of AES, then it worked.
Using "snmpwalk" to connect with the same args allowed the aes user to use AES, and the DES user to use DES.
I've not found the problem with AES support yet, and I will probably be re-tasked to abandon SNMP, and try for USB cable based support. (My boss re-tasked me with getting USB support to work with Nut on OPNSense using the USBHID-Driver. Details of that process are here: https://forum.opnsense.org/index.php?topic=27936.msg135580#msg135580 )
Hopefully some part of the above process and issue will help one or more of you save time when setting this up on your network.
Thanks for reading!
-
Once you have everything working as you want, you should consider revisiting settings to better secure your configuration:
If you have SNMPv3 working and don't need SNMPv1, why not disabled SNMPv1?
If you know the hosts which will be talking to your SNMPv3 service, why not restrict access to just the hosts?
If you enabled multiple users to test AES and DES, why not disable the accounts which you are not using?
If you decide to experiment with adding support for AES after DES is working, and your web iterface becomes super slugglish immediately after enabling AES and then choosing Services -> Nut -> Diagnostics, you may need to get a shell on your server to change settings, then re-visit the web interfaces and re-save the previous DES settings:
To save you time if you need to do this...
On the OPNSense box, using your favorite editor, alter this file:
/usr/local/etc/nut/ups.conf
Change:
privProtocol=AES
to
privProtocol=DES
Restart the service:
/usr/local/etc/rc.d/nut restart
Now, go back to your web service and things should be less sluggish. Re-visit the Services -> Nut -> Configuration, choose the "UPS Type" down-arrow to get the drop-down menu, and then locate and choose "SNMP-Driver"
The right frame should show you the settings you expect and likely won't match what you put in the file. Whatever the result, make sure that the configuration does not include "privProtocol=AES" and then make sure it DOES include "privProtocol=DES"
Then choose "Apply"
-
Bashing my head against the wall here.
Followed your instructions (finally, someone who's documented the snmp config process fully)
Config appears ok ie. Nut service is running and diagnostics is showing correctly and updating (tested by switching off the power, input.voltage etc dropped to 0
battery.charge: 100
battery.current: 0
battery.runtime: 3780
battery.runtime.elapsed: 0
battery.voltage: 27
battery.voltage.nominal: 24
device.contact: Administrator
device.description: UPS SNMP Card
device.location: [redacted]
device.mfr: CYBERPOWER
device.model: OLS1000ERT2UA
device.serial: [redacted]
device.type: ups
driver.name: snmp-ups
driver.parameter.authProtocol: SHA
driver.parameter.pollinterval: 2
driver.parameter.port: [redacted]
driver.parameter.PrivProtocol: AES
driver.parameter.secLevel: authPriv
driver.parameter.snmp_version: v3
driver.parameter.synchronous: auto
driver.version: 2.8.0
driver.version.data: cyberpower MIB 0.51
driver.version.internal: 1.21
input.frequency: 50
input.voltage: 242.50
output.current: 0
output.frequency: 50
output.voltage: 240
ups.delay.reboot: 0
ups.delay.shutdown: 180
ups.delay.start: 0
ups.firmware: OS02RV11
ups.load: 8
ups.mfr: CYBERPOWER
ups.model: OLS1000ERT2UA
ups.serial: [redacted]
ups.status:
The System General log file on the other hand is showing errors:
Date Severity Process Line
2022-07-20T11:56:16 Notice upsmon UPS cyberpower is unavailable
2022-07-20T11:56:11 Notice upsmon Communications with UPS cyberpower lost
2022-07-20T11:56:06 Error upsmon Login on UPS [cyberpower] failed - got [ERR ACCESS-DENIED]
2022-07-20T11:56:06 Warning upsd /usr/local/etc/nut/upsd.users is world readable
2022-07-20T11:56:06 Warning upsd /usr/local/etc/nut/upsd.conf is world readable
2022-07-20T11:56:05 Error snmp-ups [cyberpower] unhandled ASN 0x5 received from .1.3.6.1.4.1.3808.1.1.1.7.2.7.0
2022-07-20T11:54:49 Error upsd mainloop: Interrupted system call
2022-07-20T11:54:49 Error upsmon upsmon parent: read
Any suggestions as to where to look?
Trying to avoid a usb connection if I can.
TIA
-
I believe it's a MIB issue. Have the mib file, beyond my current skill level to make it work though. :o
-
i have same problem....any idea?