Connections total-entries

RouterOS General
1

Hi there
There is a need to monitor the number of connections
Through the console I can see

/ip firewall connection tracking print

total-entries:
Is it possible to know this information via SNMP? Tell me OID.

How do you watch the value of the number of NAT translations on your network?

Regards,
Pavel

2

You can do
/ip firewall connection print count-only
To get only a count. With the new “run script via snmp” feature it should be possible to read that over snmp.
When you succeed in doing that, please show us how. (there is little documentation about this)

3

Hi @pe1chi

Thanks, it’s good idea but the principle of the function Run Script are still not clear.
I try snmpwalk

admin@vspotappliance:~$ snmpwalk -c public -v 1 192.168.2.34 1.3.6.1.4.1.14988.1.1.8.1.1
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.6 = STRING: "script1_password_guest"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.7 = STRING: "script2_first"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.8 = STRING: "radius-ping"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.9 = STRING: "script3"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.6 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.7 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.8 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.9 = INTEGER: 0

And than try to snmpset

admin@vspotappliance:~$ snmpset -c public -v 1 192.168.2.34 1.3.6.1.4.1.14988.1.1.8.1.1.3.9 s 1
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.9 = INTEGER: 49

What is the value returned by the snmp (49).
Is it possible to return another value, such as the value of the variable from the script?

4

It is not clear to me either. Hopefully we will get documentation.

5

If you want to read variable from the script, make it global and read it’s value from /system script environment. I haven’t tried it in your scenario, but it might work since that way variable is always accessible and there is a chance it will have functional OID.

6

There is OID with next parameters:

mtxrScriptRunOutput
.1.3.6.1.4.1.14988.1.1.18.1.1.2
this oid on get request will run script and return it’s output

Of course it does not work. Script Run Counter does not increase, and snmp returns the name of the script.

admin@vspotappliance:~$ snmpget -c public -v 1 192.168.2.34 1.3.6.1.4.1.14988.1.1.8.1.1.2.9
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.9 = STRING: "script3"

We would like to hear comments Mikrotik engineers

7

Indeed! I also found those OID in the MIB and tried similar things as you did but never was able to
run a script from SNMP to receive the output value. It would be a useful feature but I would have
preferred a separate table for OID->script mapping and enabling execution of the script instead of
the vague “write permission” that is apparently used now.

8

Run the script with the read-only community is not entirely correct from a security standpoint. Who knows what scripts do you have on the equipment, run some risk to the network.
Therefore, I agree with the use of the Write rights.

9

That is why I would have preferred to have an explicit OID->script table so you explicitly open the execution of scripts on reading certain OIDs (that you define yourself)
and you can control which scripts are accessible this way.
When a rights bit is used it should have been an explicit one (SNMP). That still leaves the nasty problem that you cannot predict the OID and keep it the same on a number of routers.

10

Hello There,
I did it.

  1. Create a new script to request the number of connections
/system script
add name=script3_connections owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip firewall connection print count-only"
  1. Through snmpwalk get the script OID table
admin@vspotappliance:~$ snmpwalk -c public -v 2c 192.168.2.34 1.3.6.1.4.1.14988.1.1.8.1.1
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.6 = STRING: "script1_password_guest"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.7 = STRING: "script2_first"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.8 = STRING: "radius-ping"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.9 = STRING: "script3_connections"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.6 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.7 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.8 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.9 = INTEGER: 0
  1. You must change the oid, replace 8 to 18

1.3.6.1.4.1.14988.1.1.> 8> .1.1.2.9 to 1.3.6.1.4.1.14988.1.1.> 18> .1.1.2.9

  1. Do snmpget. SNMP performs the script and return its output - the number of connections
admin@vspotappliance:~$ snmpget -c public -v 2c 192.168.2.34 1.3.6.1.4.1.14988.1.1.18.1.1.2.9
SNMPv2-SMI::enterprises.14988.1.1.18.1.1.2.9 = STRING: "22"

Profit

11

Ok that is reasonably simple.
I still would have preferred when the OID (at least the last number) is settable in some screen and
the scripts would only be runnable when in that table.
Now you have given the script all access and probably people often do that, and it means that now
their scripts can be run by anyone knowing the read-only SNMP community. (usually public)

12

In fact no :smiley:
I have noticed that the script is executed and returns its output only if the community has a right to write

It may seem strange because we produce snmpget read operation, but it’s true. You do not run the script with read-only community.

13

Ah that is why it failed to work here… I experimented but never got the above result.
Well, that is not good either! It should be possible to read from the read-only community and
still execute a (trusted) script to provide the value. E.g. to graph some values using standard
monitoring software that reads all variables using the same community.

14

Ok. It is another question. It is suitable for solving my problem

15

Thanks this works for me.

Best regards.