Can't make snmp to work over pppoe

chrismfz · September 11, 2017, 3:29pm

Hello there.
I've setup a few mikrotiks as routers, they are behind a vdsl router, running in PPPoE. Something like this
Internet -- VDSL Router -- Mikrotik PPPoE --- LAN

I've enabled with success a few ports like web and winbox over the Internet to have a look on them
using the cloud hostname ***sn.mynetname.net and they are working.

But SNMP doesn't. Seems enabled:

/snmp community print
Flags: * - default

NAME ADDRESSES SECURITY READ-ACCESS

0 * public 0.0.0.0/0 none yes
1 natigon 0.0.0.0/0 none yes

/snmp print
enabled: yes
contact: info@natigon.gr
location: Serres Greece
engine-id:
trap-target:
trap-community: natigon
trap-version: 1
trap-generators:

But snmpwalk returns error. Tried to forward 161 UDP port too but again with no success

Firewall configuration

/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

2 X ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=""

3 X ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""

4 X ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""

5 X chain=input action=accept protocol=icmp log=no log-prefix=""

6 X chain=input action=accept connection-state=established log=no log-prefix=""

7 X chain=input action=accept connection-state=related log=no log-prefix=""

8 X ;;; allow l2tp
chain=input action=accept protocol=udp dst-port=1701 log=no log-prefix=""

9 X ;;; allow pptp
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""

10 X ;;; allow sstp
chain=input action=accept protocol=tcp dst-port=443 log=no log-prefix=""

11 X chain=input action=drop in-interface=pppoe-out1 log=no log-prefix=""
And the port forwarder
/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=""

1 ;;; masq. vpn traffic
chain=srcnat action=masquerade src-address=192.168.89.0/24 log=no log-prefix=""

2 chain=dstnat action=dst-nat to-addresses=192.168.2.1 to-ports=161 protocol=udp in-interface=pppoe-out1 dst-port=161
log=no log-prefix=""
On any protocol snmpwalk returns nothing.
[root@freedom ~]# snmpwalk -Os -c public -v 1 642e05e1fe93.sn.mynetname.net
Timeout: No Response from 642e05e1fe93.sn.mynetname.net
[root@freedom ~]# snmpwalk -Os -c public -v 2c 642e05e1fe93.sn.mynetname.net
Timeout: No Response from 642e05e1fe93.sn.mynetname.net
[root@freedom ~]# snmpwalk -Os -c public -v 3 642e05e1fe93.sn.mynetname.net
snmpwalk: Timeout
[root@freedom ~]#Any thoughts ?

As a second way I thought to create VPNs, but both my office and these locations have dynamic IPs so it makes it a bit more complicated.

chrismfz · September 11, 2017, 4:06pm

Creating port forward to another port (1161) it worked.
2 chain=dstnat action=dst-nat to-addresses=192.168.2.1 to-ports=161 protocol=udp in-interface=pppoe-out1 dst-port=1161
log=no log-prefix=“”[root@freedom ~]# snmpwalk -v 2c -c public 642e05e1fe93.sn.mynetname.net:1161
SNMPv2-MIB::sysDescr.0 = STRING: RouterOS RB951G-2HnD
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.14988.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (87581300) 10 days, 3:16:53.00
SNMPv2-MIB::sysContact.0 = STRING: info@natigon.gr
SNMPv2-MIB::sysName.0 = STRING: Nation IT Router
SNMPv2-MIB::sysLocation.0 = STRING: Serres Greece
SNMPv2-MIB::sysServices.0 = INTEGER: 78Seems 161 is reserved (?) from the router ? I don’t know. But with port forwarding on another port it worked.