Hi,
I configured snmp on my RB450G.
I also configured an snmp community and set read access to yes.
Now I want to poll data from the device with our cacti server, but when i do a port scan on the MT device I don’t even see port 161 being open.
I guess I need a firewall rule to accomplish this. (Eventually we want to poll on port 8161)
Lets say my cacti server is at 1.2.3.4 and polling on 8161 to the ip on the MT device.
What’s the correct syntax of the rule(s) to add?
Many tnx
B
Lets say my cacti server is at 1.2.3.4 and polling on 8161 to the ip on the MT device.
Port 161 is the correct port for snmp. I would stick with that for now, at least until you get it working.
If your firewall filter rules are not complex, then this should do
/ip firewall filter
add chain=input dst-port=161 protocol=udp action=accept
Then insure this is above the default drop rule. It should look like this:
chain=input action=drop
I use a src-address with that accept rule also. I limit control/management access to only my networks. And now it is actually the port-knock rules that allow me to access my routers with my Blackberry phone (dynamic ip).
ADD: Once that is working, you can use this to use port 8161
/ip firewall nat
add chain=dstnat action=dst-nat dst-port=8161 to-ports=161 protocol=udp
Ok tnx, will try it out.
I can’t use port 161 everywhere as some of the isp’s we work with block that port, so we go for 8161 by a nat rule.
Up & running 
Tnx!
I was happy to fast 
It actually was working on port 161, but now when trying on 8161 it doesn’t work. (I applied the rules above)
I can’t use port 161 on this connection as the ISP blocks it.
Someone who can bring some light here?
Tnx
[admin@stn448] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 chain=input action=accept protocol=udp dst-port=161
[admin@stn448] /ip firewall filter>
[admin@stn448] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 chain=srcnat action=masquerade src-address=192.168.88.0/24
2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.150.0/24
3 chain=dstnat action=dst-nat to-addresses=0.0.0.0 to-ports=161 protocol=udp dst-port=8161
[admin@stn448] /ip firewall nat>
I removed all other firewall rules to be sure they didn’t conflict somewhere, but still no joy for snmp on p8161
Tnx for all help.
I think you need to remove the “to-addresses=0.0.0.0”.
3 chain=dstnat action=dst-nat > to-addresses=0.0.0.0 > to-ports=161 protocol=udp dst-port=8161
Yes, Tried this first and it didn’t work.
When I added the default lan address (192.168.88.1) there it worked 
Tnx
I have basically the same problem. I’ve set up the SNMP service, firewall input and NAT rules, yet it doesn’t work. Port 161 is also filtered, so I needed the NAT rule. Other NAT rules are happily working, this one doesn’t. Using torch I can see incoming traffic from the management machine to UDP port 8161, but it doesn’t get forwarded to the RB750G’s port 161. It’s as if the service wasn’t running. Please advice, what am I doing wrong here?
/snmp export
/snmp set contact=your@mail.com enabled=yes engine-boots=0 engine-id="" location=SomeCountry time-window=15 trap-sink=0.0.0.0 trap-version=1
/snmp community set public address=x.x.35.229/32 authentication-password="" authentication-protocol=MD5 encryption-password="" encryption-protocol=DES name=public \
read-access=yes security=none write-access=no
/ip firewall filter print
7 chain=input action=accept protocol=udp dst-address=x.x.139.66 dst-port=8161
/ip firewall nat print
10 chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=161 protocol=udp dst-address=x.x.139.66 dst-port=8161
ip firewall filter print
7 chain=input action=accept protocol=udp dst-address=x.x.139.66 dst-port=8161
/ip firewall nat print
10 chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=161 protocol=udp dst-address=x.x.139.66 dst-port=8161
You’re rewriting the destination address of all SNMP packets to 192.168.88.1, but your input firewall filter only allows packets to x.x.139.66. 192.168.88.1 isn’t equal to x.x.139.66, so the rule doesn’t match. Additionally your firewall filter rule looks for a destination port of 8161, but your NAT rule rewrites the port to 161.
There are several ways to fix this, but my preferred one would be to delete that input chain filter rule and replace it with this one:
/ip firewall filter add chain=input src-address=x.x.35.229 protocol=udp dst-port=161 action=accept
x.x.35.229 is taken from your SNMP community export. Filtering by destination address on the input chain usually doesn’t make much sense. The input chain only sees traffic destined to IPs on a router interface, usually it’s irrelevant what interface that IP is on.
After having found the problem myself, let me phrase in simple words what I wanted to achieve, we might still find a fault, and others may be able to learn from it. x.x.139.66 is router public gateway address on ether1, 192.168.88.1 is internal LAN address on ether2, x.x.35.229 is the remote management server (Zabbix).
What I wanted to achieve:
4 was effectively missing and adding an accept to UDP 192.168.88.1:161 solved the problem, remote SNMP access is working now.
PS.: thanks for the ultra quick answer