Configuring SNMP on pfsense

[iptvcld]

Is there an existing issue for this?

• I have searched the existing open and closed issues

Am I willing to test this? 🧪

• I will do my best to test this feature on the netlertx-dev image when requested within 48h and report bugs to help deliver a great user experience for everyone and not to break existing installations.

Can I help implement this? 👩‍💻👨‍💻

• Yes
• No

Is your feature request related to a problem? Please describe

If a device connects and then disconnects then we won’t be alerted of the scan does not occur

Describe the solution you'd like

Real time scan maybe look at dhcp logs of pfsense

Describe alternatives you've considered

Warpath

Anything else?

No

[jokob-sk]

Hi @iptvcld ,

You can already adjust the scan window to be e.g. every minute via Settings. If taht's insufficient, you can try is to create a custom plugin to continuously scan in a separate thread and the results would be then processed in given intervals.

This way you would never miss a device. Disconnections may still be missed (if a device disconnects and reconnects, let's say within a minute), but I think discovering of new devices is more important.

If you are happy to help out, I can try incorporating continuous scanning, why you try to create a pfsense plugin, if you have some time. Here is a walkthrough of creating a custom plugin:

[jokob-sk]

Actually - I just realized SNMP is supported on pfsense, so you can try the SNMP plugin if it already works. If yes, and the 1 minute interval is still too long, I can try to incorporate continuous background scanning. Let me know how you go.

[iptvcld]

Thanks for the reply. I can try snmp but I think continuously scanning may get in the way of pfsense internal scans that occur. But I am not sure what pfsense sends for snmp dhcp responses because let’s say I have the scan at 5 mins can this tool check past connections and then just alert on any new connects. I don’t need instant but just something that tells me some device connected and it may be not be online but I have a record of it

[jokob-sk]

This then depends on what information is available via SNMP. If past entries are, then yes 👍

[iptvcld]

And will this tool know how to read the Mac and IP and format the notification?

[jokob-sk]

yes :)

[iptvcld]

I just enabled SNMP on pfsense and then enabled the option on netalertX and updated the iP to my router - but no devices are being found

22:09:22 [2024-07-01 22:09:22-04:00] START Run: SNMPDSC
22:09:22 [Plugins] Executing: python3 /app/front/plugins/snmp_discovery/script.py routers={s-quote}{routers}{s-quote}
22:09:22 [SNMPDSC] In script
22:09:22 [SNMPDSC] Router snmpwalk command: snmpwalk -v 2c -c public -OXsq 192.168.2.80 .1.3.6.1.2.1.3.1.1.2
22:09:22 [SNMPDSC] output: mib-2.3.1.1.2 No Such Object available on this agent at this OID

22:09:22 [SNMPDSC] Entries found: 0
22:09:22 [Plugins] No output received from the plugin SNMPDSC - enable LOG_LEVEL=debug and check logs
22:09:22 [2024-07-01 22:09:22-04:00] END Run: SNMPDSC

[jokob-sk]

Hi!

I think this is not an issue with NetAlertX, but with the command or agent configuration. This is what I got out of ChatGPT:

The "No Such Object available on this agent at this OID" error in SNMP usually means that the specific OID (Object Identifier) you are querying does not exist or is not available on the SNMP agent you are querying.

Here are a few steps to troubleshoot this issue:

Verify the OID:
    Make sure that the OID you are querying is correct and exists on the SNMP agent. Double-check the documentation for the device or software you are querying.

SNMP Version Compatibility:
    Ensure that the SNMP version you are using (SNMPv1, SNMPv2c, SNMPv3) is supported by the agent and that you are using the correct version in your query.

Access Control:
    Check the SNMP access control settings on the agent. It might be configured to restrict access to certain OIDs based on community strings or user credentials.
    For SNMPv3, ensure that the user has the necessary permissions to access the OID.

MIBs:
    Make sure you have the correct MIBs (Management Information Bases) loaded that define the OIDs. Without the correct MIBs, your SNMP tools may not be able to resolve OIDs properly.

SNMP Walk:
    Perform an SNMP walk starting from a higher-level OID to see what OIDs are available on the agent. This can help you identify if the OID you are querying is indeed present.
    Example command using snmpwalk:

    sh

    snmpwalk -v2c -c public 192.168.1.1 .1

Agent Configuration:
    Ensure the SNMP agent is properly configured to expose the OIDs you are trying to query. This might involve editing the SNMP configuration file on the device.

Check Logs:
    Check the SNMP agent's logs for any error messages or indications of why the OID is not available.

Here is an example of querying an SNMP agent with snmpget:

sh

snmpget -v2c -c public 192.168.1.1 .1.3.6.1.2.1.1.1.0

Replace public with your community string, 192.168.1.1 with the IP address of your SNMP agent, and .1.3.6.1.2.1.1.1.0 with your target OID.

[jokob-sk]

Here is the chat history if you'd like to follow up: https://chatgpt.com/share/4f43da10-f66e-40f8-a10d-50b245b9f12d

[iptvcld]

Thanks; i have enabled it pfsense correct and on netalertX - i have enabled SNMP, updated the IP for the walk and ran the scan - but nothing. Maybe something to do with auth to pfsense, there are no fields for the username and password

[jokob-sk]

you can also ssh into the container or any terminal and try if your command works - I regrettably don't have pfsense running, but try to troubleshoot with that chatgpt instance and if you get the command running in the terminal, you should be able to use it in netalertx

[iptvcld]

ok, i will have a chat with GPT - this is the result using terminal
c9f5de0051e7:/# snmpget -v2c -c public 192.168.2.80 .1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: pfSense pfadmin.servernode.com 2.7.2-RELEASE FreeBSD 14.0-CURRENT amd64

[jokob-sk]

as per the docs, the expected output should look something like this for NAX to ingest it properly:

Expected output (ingestion) in format:

 iso.3.6.1.2.1.3.1.1.2.3.1.192.168.1.2 "6C 6C 6C 6C 6C 6C "
 iso.3.6.1.3.1.3.1.1.2.3.1.192.168.1.3 "7C 6C 6C 6C 6C 6C "
 iso.3.6.1.4.1.3.1.1.2.3.1.192.168.1.4 "8C 6C 6C 6C 6C 6C "
...etc

[iptvcld]

ok so this snmpwalk -v2c -c public 192.168.2.80 1.3.6.1.2.1.4.22.1.2 returned

IP-MIB::ipNetToMediaPhysAddress.15.192.168.2.2 = STRING: 48:b0:2d:32:a4:4a
IP-MIB::ipNetToMediaPhysAddress.15.192.168.2.3 = STRING: a2:e5:bc:85:11:f6

i added this command into the SNMP scan in netalert but after the run, no devices get added

[jokob-sk]

Taht's not a format NAX understands, as mentioned earlier, the only supported format for SNMP outputs is this one:

 iso.3.6.1.2.1.3.1.1.2.3.1.192.168.1.2 "6C 6C 6C 6C 6C 6C "
 iso.3.6.1.3.1.3.1.1.2.3.1.192.168.1.3 "7C 6C 6C 6C 6C 6C "
 iso.3.6.1.4.1.3.1.1.2.3.1.192.168.1.4 "8C 6C 6C 6C 6C 6C "

PLease use the appropriate parameters to format your output according to the docs:

sh

snmpwalk -v2c -c public -OXsq 192.168.1.1 .1.3.6.1.2.1.3.1.1.2

-v2c: Specifies the SNMP version to use (SNMPv2c in this case).
-c public: Specifies the community string (password-like value used for SNMP, public is the default community string).
-OXsq: Specifies output formatting options:
    -O: Specifies how the output should be formatted.
    X: Prints the OID in numeric form (ISO-style).
    s: Strips the OID labels from the output.
    q: Suppresses the display of the type of data.

[iptvcld]

When i run
snmpwalk -v2c -c public -OXsq 192.168.2.80 .1.3.6.1.2.1.3.1.1.2 - i then get this mib-2.3.1.1.2 No Such Object available on this agent at this OID

that command seems like does not work on pfsense, so net alert needs this exact layout?
iso.3.6.1.2.1.3.1.1.2.3.1.192.168.1.2 "6C 6C 6C 6C 6C 6C " (with the iso in front, etc )

[jokob-sk]

pfsense shoulw work if you supply the correct command. Here is a past issue where another user uses the same plugin with pfsense: #258

[iptvcld]

ahh soo odd.. snmpwalk -v 2c -c public -OXsq 192.168.2.1 .1.3.6.1.2.1.4.22.1.2
gives me:
ipNetToMediaPhysAddress[15][192.168.2.191] 3c:39:c8:e5:fd:84

[jokob-sk]

The key part you have to figure out is the OID. I don't think you have the correct OID .1.3.6.1.2.1.4.22.1.2. This OID changes based for example on the manufacturer. Some hints follow:

Understand the OID Structure:

• OID stands for Object Identifier and it represents a node in the SNMP MIB tree.
• Each number in the OID represents a branch or node in the hierarchical tree structure.

Break Down the OID .1.3.6.1.2.1.4.22.1:

• .1 identifies it as belonging to the ISO standard.
• .3 indicates it is part of the Internet branch (iso.org.dod).
• .6 signifies it is part of the SNMP branch (iso.org.dod.internet.snmpV2).
• .1 further narrows it down to the MIB-2 branch (iso.org.dod.internet.snmpV2.mib-2).
• .4 refers to the IP branch (iso.org.dod.internet.snmpV2.mib-2.ip).
• .22 likely corresponds to the ARP (Address Resolution Protocol) table within the IP MIB.
• .1 is typically the first entry or instance within that table.

Consult SNMP MIB Documentation:

• To confirm the exact meaning of .1.3.6.1.2.1.4.22.1, you would refer to the SNMP MIB documentation provided by the device manufacturer.
• Manufacturers typically publish MIB files that define these OIDs and provide descriptions of the managed objects they represent.

Please check this article for details: https://www.comparitech.com/net-admin/snmpwalk-examples-windows-linux/
You can find manufacturer IDs here: https://www.iana.org/assignments/enterprise-numbers/

[jokob-sk]

I made the SNMP plugin accept also ipNetToMediaPhysAddress output and I wrote a guide on it here:

https://github.com/jokob-sk/NetAlertX/tree/main/front/plugins/snmp_discovery#finding-your-oid

Please have a look at the netalertx-dev docker image, in about 15 minutes (or after the last action finishes) from now.

Make sure you refresh your browser cache - and click the 🔄 refresh button in the top right corner.

It would be great if you could test this (backup everything first or use a new container) on your end by switching to the above image and letting me know if the issue was resolved/the new feature is working.

Thanks in advance,
j

[iptvcld]

Wow you’re amazing! I had to leave town for work and will be back tomorrow evening to test this out. Can’t wait! Thank you.

[iptvcld]

Hey @jokob-sk just changed docker to -dev and added snmpwalk -v 2c -OXsq -c public 192.168.2.1 .1.3.6.1.2.1.4.22.1.2 to the SNMP section but below is the error.

07:07:16 [Plugin utils] ---------------------------------------------
07:07:16 [Plugin utils] display_name: SNMP discovery
07:07:16 [Plugins] Executing: python3 /app/front/plugins/snmp_discovery/script.py routers={s-quote}{routers}{s-quote}
07:07:16 [SNMPDSC] In script 
07:07:16 [SNMPDSC] Router snmpwalk command: snmpwalk -v 2c -OXsq  -c public 192.168.2.1 .1.3.6.1.2.1.4.22.1.2
07:07:16 [plugin_helper] reading config file
07:07:16 [SNMPDSC] In script 
07:07:16 [SNMPDSC] Router snmpwalk command: snmpwalk -v 2c -OXsq  -c public 192.168.2.1 .1.3.6.1.2.1.4.22.1.2
Traceback (most recent call last):
  File "/app/front/plugins/snmp_discovery/script.py", line 115, in <module>
    main()
  File "/app/front/plugins/snmp_discovery/script.py", line 55, in main
    output = subprocess.check_output (snmpwalkArgs, universal_newlines=True, stderr=subprocess.STDOUT, timeout=(timeoutSec ))
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/subprocess.py", line 466, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['snmpwalk', '-v', '2c', '-OXsq', '', '-c', 'public', '192.168.2.1', '.1.3.6.1.2.1.4.22.1.2']' returned non-zero exit status 1.

07:07:16 [Plugins] ⚠ ERROR - enable LOG_LEVEL=debug and check logs
07:07:16 [Plugins] No output received from the plugin SNMPDSC - enable LOG_LEVEL=debug and check logs
07:07:16 [API] Updating table_plugins_language_strings.json file in /front/api
07:07:16 [Plugin utils] ---------------------------------------------
07:07:16 [Plugin utils] display_name: NSLOOKUP (Name discovery)
07:07:16 [Plugins] Executing: python3 /app/front/plugins/nslookup_scan/nslookup.py
07:07:16 [NSLOOKUP] In script
07:07:16 [Database] Opening DB
07:07:16 [NSLOOKUP] Unknown devices count: 0
07:07:16 [NSLOOKUP] Script finished
07:07:16 [Plugins] No output received from the plugin NSLOOKUP - enable LOG_LEVEL=debug and check logs
07:07:16 [Notification] Check if something to report
07:07:16 [Notification] Included sections: ['new_devices', 'down_devices', 'events']
07:07:16 [Notification] No changes to report
07:07:16 [MAIN] Process: Wait

via console this is my output (Sample)

ipNetToMediaPhysAddress[15][192.168.2.7] bc:24:11:44:b6:53
ipNetToMediaPhysAddress[15][192.168.2.9] c4:c1:7d:cf:bf:33

[jokob-sk]

Thanks for checking. I just pushed a fix to the -dev image. It should be available in about 15 minutes. Please check if the issue was fixed.

[iptvcld]

Works like a charm! Thank you, I can see the snmpwalk listing all the connections and then the lookup grabs the names of the devices (for most). I added a new device to my network and ran the snmp scan again, it picked up the new device!

When do you think this will be promoted to Prod? I will then start working on my setup and get telegram going as well! Thanks again..

[jokob-sk]

thanks for checking @iptvcld !

I might publish the prod image this weekend or next week. 🤞

[iptvcld]

Thanks again, looking forward to it..

[jokob-sk]

Releasing -> closing