Open SNMP and Syslog ports

6BAdmin · November 5, 2017, 7:56pm

I am new to Winbox, but I think I’ll be up to speed soon. Router/firewall SNMP is enabled, but no access. Mikrotik switches are enabled and working. Same with Syslog, it appears to be enabled, status has rows incrementing, but no log files. Traffic Flow is at ver 9 and I am using MangeEngine firewall analyzer successfully with other firewalls.
I can use an assist here, TIA, -John

6BAdmin · November 16, 2017, 6:19pm

No help? Any other support for Mikrotik router? SNMP works Mikrotik switches, not router. Syslog is a joke with Mikrotik.

Feklar · November 16, 2017, 7:43pm

You haven’t really provided your current configuration for someone to be able to help, people cannot read your mind and do not know what you have tried or what is currently set. If you provide those details, we can try and help point you in the right direction.

So you have SNMP enabled, I’m assuming that you also have a community string set. What does your firewall setup look like?
What are you log settings? Do you have the syslog server defined in the settings? Do you have a log action for syslog? By default the log just goes to memory for the most part. It also has a line for disk for error messages.
Do you have any targets defined for Traffic Flow?

6BAdmin · November 17, 2017, 4:15pm

A reply! Thank you. Let's work with SNMP. SNMP is enabled,

NAME ADDRESSES SECURITY READ-ACCESS

0 * public 0.0.0.0/0 none yes

Filter is accept input udp 161. Bytes and packets have values.
Netflow appears to be working for me. SNMP on Mikrotik switches is working.

Feklar · November 17, 2017, 7:20pm

What version of SMNP are you trying to use in your server? Try setting it to 2c if you are trying to use v1 or v3. If you are trying to use v3, you need to set the appropriate keys and passwords in the MikroTik.

An export of ‘/ip firewall’ would be more effective in seeing your ruleset.

6BAdmin · November 20, 2017, 5:48pm

Thank you again for the assist. I just got this network, so it may take a little time to answer any questions.

/snmp
set contact=“IT Support” enabled=yes trap-target 0.0.0.0 trap-version=2

/ip firewall filter
add action=drop chain=input comment=“Drop Invalid” connection-state=invalid
add action=drop chain=input comment=“Drop Blacklisted IPs” src-address-list=
Blacklist
add action=drop chain=forward comment=“Drop Blacklisted IPs”
src-address-list=Blacklist
add action=accept chain=input comment=“Accept Established” connection-state=
established
add action=accept chain=input comment=“Accept Related” connection-state=
related
add action=accept chain=input comment=“Accept ICMP” protocol=icmp
add action=accept chain=input comment=“Accept Internal Management”
in-interface=ether2_LAN
add action=accept chain=input comment=“Accept Internal Management”
in-interface=ether3_Wireless_Link_SO
add action=accept chain=input comment=“Accept Internal Management”
in-interface=“Voice VLAN”
add action=accept chain=input comment=“Accept Internal Management”
in-interface=“Public WiFi VLAN”
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=“Blacklist port scanners”
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=
“Blacklist NMAP FIN Stealth scan” protocol=tcp tcp-flags=
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=“Blacklist SYN/FIN scan”
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=“Blacklist SYN/RST scan”
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=“Blacklist FIN/PSH/URG scan”
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=“Blacklist ALL/ALL scan”
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=2w chain=input comment=“Blacklist NMAP NULL scan”
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment=“Accept GRE” protocol=gre
add action=accept chain=input comment=“Accept IPSEC-ESP” protocol=ipsec-esp
src-address-list=IPSEC
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=1w chain=input comment=“Blacklist SSH” dst-port=22
in-interface=“ether1_WAN T1” protocol=tcp
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=1w chain=input comment=“Blacklist SSH” dst-port=22
in-interface=pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=1w chain=input comment=“Blacklist DNS from Outside”
dst-port=53 in-interface=“ether1_WAN T1” protocol=udp
add action=add-src-to-address-list address-list=Blacklist
address-list-timeout=1w chain=input comment=“Blacklist DNS from Outside”
dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment=“Accept DHCP” protocol=udp src-port=
67-68
add action=accept chain=input comment=“Accept DHCP” dst-port=67-68 protocol=
udp
add action=accept chain=input comment=“Accept SNMP” dst-port=161 protocol=udp
add action=accept chain=input comment=“Accept NTP” dst-port=123 protocol=udp

Feklar · November 21, 2017, 5:51pm

Check your SNMP community settings. You just have the trap settings listed, by default the community is set to public I believe. Do you see the firewall rule that you have for SNMP increment?

6BAdmin · November 21, 2017, 6:28pm

Community is default public 0.0.0.0/0 read only. Enable SNMP required Trap target, I entered 0.0.0.0. SNMP firewall bytes and packets are 0. Thanks again.

6BAdmin · November 21, 2017, 7:20pm

I can do a MIB walk. So, I am using applications Spiceworks, OpManger and Solarwinds NPM. All cannot scan with SNMP.

MIB OID Name Value
SNMPv2-MIB 1.3.6.1.2.1.1.1.0 sysDescr.0 “RouterOS CCR1016-12G”
SNMPv2-MIB 1.3.6.1.2.1.1.2.0 sysObjectID.0 1.3.6.1.4.1.14988.1
SNMPv2-MIB 1.3.6.1.2.1.1.3.0 sysUpTime.0 69309200
SNMPv2-MIB 1.3.6.1.2.1.1.4.0 sysContact.0 “IT Support”
SNMPv2-MIB 1.3.6.1.2.1.1.5.0 sysName.0 “FW”
SNMPv2-MIB 1.3.6.1.2.1.1.6.0 sysLocation.0
SNMPv2-MIB 1.3.6.1.2.1.1.7.0 sysServices.0 78
IF-MIB 1.3.6.1.2.1.2.1.0 ifNumber.0 15
IF-MIB 1.3.6.1.2.1.2.2.1.1.1 ifIndex.1 1

Feklar · November 22, 2017, 3:52pm

If you can do a walk off of the same server, and SpiceWorks is able to pull data, then OpManager and Solarwinds should work just the same. I would check your firewall address list to make sure those servers didn’t fire the auto block rules that you have in place.

Jotne · November 23, 2017, 6:19am

Turn on logging on all firewall rules, then look at the log when you try to get SNMP and see if you get some hits there.

6BAdmin · November 28, 2017, 9:44pm

I’ll report back with any discoveries. I moved the priority for the SNMP firewall policy up to the top. All Mikrotik switches work with SNMP. Just routers do not at this time. I’m stumped.