SNMP - Basic Config

[Bagoline]

Hi All

We just deployed our Data Center firewalls with two OPNSense VM firewalls.
The selection was between VyOS and PFSense.

Each one had its pros and cons.

One major issue that we face is that we cannot integrate the OPNSense firewall cluster to the SNMP monitoring service.

The firewall rules have been created and the flow is depicted as allowed in the firewall policies.

The NET-SNMP plugin has been configured with all needed information and the respective listening IP addresses, MGMT IP and loopback.

The service is reported as active in the service summary.

However, all SNMPWALK attempts fail with a time-out since no response is returned.
The same thing happens from within the OPNSense terminal.
"
snmpwalk -v 3 -u [SNMPv3USER] -a SHA -A [SNMPv3AUTHKEY] -x AES -X [SNMPv3PRIVKEY] 127.0.0.1
"

Are we missing something?

All feedback will be greatly appreciated.

Thank you
Best Regards
Konstantinos

[mimugmail]

Can you downgrade to v2 for testing?

[Bagoline]

Hi Mimugmail

I downgraded to SNMP v 2c and i can SNMPWALL the firewall through the loopback IP 127.0.0.1.

However, when trying the same with the interface IP, even though it is listed as a service IP within the net-snmp I get a time-out.

The logs are a bit strange since while doing the SNMPWALK locally on the device I get an IPSEC ACL permit match log.

Through the NMS i still get the log of permitting the traffic but with no response, hence the timeout again.

[mimugmail]

Please check with sockstat if port is listening to this IP and If you see blocked packets in Firewall log

[Bagoline]

I saw that the interface/IP is listening to UDP port 161 and the loopback.
Output below:
root     snmpd      33879 8  udp4   192.168.121.161:161   *:*
root     snmpd      33879 9  udp4   127.0.0.1:161         *:*

In addition, firewall rules permit all traffic to the firewall from the source IP to all interfaces.
I can see the respective log in the live view.

A SNMP version 2c to the firewall returns a "Timeout: No response from 192.168.121.161"
A SNMP version 3 to the firewall returns a "snmpwal: Timeout"

We had the same issue with pfSense that was the main reason we replaced them with opnsense.

Any other suggested steps?

[mimugmail]

anything in the logs to see?

[Bagoline]

Simple log stating a permit from the OpenNMS system to the firewall interface IP address.

Are there any other logs i can check?

[hbc]

Try adding -l authPriv, without I got an error:

Code: [Select]

snmpwalk -v 3 -u [SNMPv3USER] -a SHA -A [SNMPv3AUTHKEY] -x AES -X [SNMPv3PRIVKEY] -l authPriv 127.0.0.1
Worked for me. I just had to replace 127.0.0.1, since I just bound to monitoring interface and not localhost.

We had the same issue with pfSense that was the main reason we replaced them with opnsense.

Maybe you should check in a second shell whether packets are seen on right interface (lo0) and it is not a cabling/ip conflict issue.

Code: [Select]

tcpdump -i lo0 port 161

[Bagoline]

The issue was rectified on the primary instance when LibreSSL was removed in favor or OpenSSL.

The standby still has the same issue for some reason.
Unfortunately, there is no available time to TS it.

Regarding the packets, they reach the firewall OK, the SNMP service for some reason does not respond.