snmp not working on mikrotik device with a pppoe connection

RouterOS General
1

Solved: As a not-exactly-expert in Mikrotik, it didn’t quite occur to me that I had to manually enable “snmp” TWICE: once for the community I’d added, and once again for SNMP entirely. Generally other networking devices are much simpler: enable/disable SNMP in one single spot, and have a (usually small) list of read/write communities. Splitting those up into two screens on the webfig leaves us wondering “why, when it is showing “Enabled”, isn’t it working?”

I have a mikrotik device connected to the internet via pppoe. I need to be able to monitor the device via snmp.

Evidently the fact that this is on a pppoe connection, that means the mikrotik will not respond to queries on its public ip? While this ip address is not static, it’s assigned at login time, I do currently know what the public ip is.

I have indeed ensured that the firewall explicitly allows inbound connections to udp/161 to both its ether1 interface and its pppoe-out1 interface.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow ssh,http,https" dst-port=22,80,443 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="allow snmp" dst-port=161 in-interface=ether1 protocol=udp
add action=accept chain=input comment="allow ssh,http,https" dst-port=22,80,443 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=input comment="allow snmp" dst-port=161 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

(Note that the above firewall rules for ssh/web are working here)

snmpwalk -v 1 -c ip.ip.ip.ip

just responds with “Timeout: No Response from ip.ip.ip.ip”.

I need some explicit advice on how to get this going, my Google Fu is just bringing up half-useful advice from several years ago.

2

  1. what does /snmp print show?

  2. if everything is allright there, the next question is “do the SNMP query packets arrive to the Mikrotik at all”? So run /tool sniffer quick ip-protocol=udp port=161 interface=pppoe-out1 on the Mikrotik, and try the snmpwalk again. If you can see the packets to arrive, the issue is on the Mikrotik; if you cannot, something along the way is blocking them or the responses sent by the Mikrotik.

  3. if no IP address is attached to ether1 itself, there is no need for any rules referring to in-interface=ether1, as interfaces without any IP address attached to them are invisible for the IP firewall. The fact that the PPPoE transport packets physically pass through ether1 is irrelevant for the IP firewall.

3
  1. /snmp community print shows:
Flags: * - default, X - disabled
 #    NAME     ADDRESSES                                          SECURITY   REA WRI
 0 *X public   ::/0                                               none       yes no
 1    XXXXXXXX 0.0.0.0/0                                          none       yes no

The “public” default has been disabled, and the community I’m connecting to should be available on all ip addresses.

  1. I want the snmp to be available on the LAN if necessary as well as to the public-facing internet. And so I’ve got the firewall adjusted accordingly.

  2. Running “/tool sniffer quick ip-protocol=udp port=161 interface=all” I got this output:

INTERFACE                  TIME    NUM DI SRC-MAC           DST-MAC           VLAN
pppoe-out1               12.015      1 <-
pppoe-out1               13.016      2 <-
pppoe-out1               14.017      3 <-
pppoe-out1               15.018      4 <-
pppoe-out1               16.019      5 <-
pppoe-out1                17.02      6 <-

but the client running snmpwalk only got “Timeout: No Response from ip.ip.ip.ip”

The problematic Mikrotik is connected via a pppoe session to another Mikrotik acting as a pppoe server. I can query THAT device via snmp directly on its public ip address. There are no firewalls between that (working) device and the (problematic) Mikrotik in question. The only configuration difference is that the problematic one is connected via pppoe instead of directly.

4

In my project using Splunk to monitor RouterOS I stopped using SNMP, since public IP may change.
I do us script on the router that sends all needed information to a sentral Syslog server.

See here:
http://forum.mikrotik.com/t/tool-using-splunk-to-analyse-mikrotik-logs-3-3-graphing-everything/121810/1

5

Some additional info, my end-goal is to be able to monitor/manage this problematic device via The Dude. This (apparently because of the pppoe link and the resulting problems with the snmp) is currently not working for us.

6

I wasn’t asking about /snmp community print but about just /snmp print to check whether SNMP is enabled at all. I haven’t found anywhere in your OP nor here whether this very Tik does respond to SNMP queries coming in via some other interface or whether you’ve only ever tried via the PPPoE WAN so far. Nor have you stated whether it responds on any other protocol than SNMP on the PPPoE WAN.


OK, so the packets do make it to the machine, which ignores them, as you’ve set interface=all (which could be completely omitted as well), so you would see the response to be sent via some other interface if it existed.