SNMP Over Internet

swits1109 · March 26, 2017, 10:16pm

Hello,

We have set our SNMP community string. We have also set the firewall to accept ports 161-162. See: https://goo.gl/E6TQbp and https://goo.gl/LUho9u

However, when trying to query SNMP over the internet, it fails.

Can you help? Thanks

pietroscherer · March 27, 2017, 1:11am

Make sure that your accept rules for SNMP protocol is above the drop rule of input chain (if exists).
Make sure too, if your ISP allow SNMP through it.

swits1109 · March 27, 2017, 1:13am

Yes, the rule is above all others. We are the ISP, so no problem there.

pietroscherer · March 27, 2017, 1:19am

SNMP is answered locally? Can you see the accept rules in input chain, counting packtes?

swits1109 · March 27, 2017, 6:13am

Here are the firewall settings:
https://goo.gl/OFr9qn

Unfortunately, no way to check SNMP locally, only over the internet.

pietroscherer · March 27, 2017, 1:08pm

Your router seems to receiving SNMP packets..
Some applications can use SNMP over TCP. Accept too the TCP rule for ports 161 and 162.

Note that don’t specify the src-address os these rules can be dangerous, once that SNMP can be used for DDoS attack amplification.

swits1109 · March 27, 2017, 2:04pm

It seems to be receiving a few packets, but I don’t think they are from me. Whenever I have tried to query, it fails. I am using PRTG to specifically monitor bandwidth, and it fails every time.

swits1109 · March 27, 2017, 2:06pm

I did change it to TCP with no change.

pietroscherer · March 27, 2017, 3:41pm

My suggestion:

Try using a SNMP Tool (example: PRTG SNMP), running locally (Windows machine directly connected into the router). If SNMP responses are ok, RouterOS is ok. Then, you can run the same tool into your remote PRTG Server.

swits1109 · March 27, 2017, 4:53pm

Funny thing, I am actually using PRTG to try to monitor this router. I’ll try to run it locally and see what happens.

shaoranrch · March 27, 2017, 7:04pm

Are you dual homed? With assymetric traffic paths?

Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk

swits1109 · March 27, 2017, 7:06pm

Not dual homed.

shaoranrch · March 27, 2017, 7:13pm

Do you have multiple IPs on the wan interface?

Are you querying to the main IP of the wan interface if the answer to the previous question is yes?

Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk

swits1109 · March 27, 2017, 7:20pm

Only 1 IP is on that interface. The router does respond to SNMP over the LAN, but not internet.

shaoranrch · March 28, 2017, 3:42am

Taking into account you said it works from the LAN side, are you 100% sure the router is receiving the petition? Did you do a packet capture?

I’ve worked with isp that are really odd and block everything going to well known ports towards their clients, maybe this is your case.

Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk