I’ve run into a problem with SNMP reads and I’m hoping it’s just something stupid I’ve overlooked. I searched the forum and haven’t found this topic discussed, let me know if I’ve missed the thread.
The Scenario:
Mikrotik Router fed with Multiple feeds as part of a loop (OSPF Routing), OSPF Costing setup so one path is better than another. Interface 1 is all traffic incoming to the router, Interface 2 is all traffic leaving the router.
The problem:
When both links are active, SNMP Reads to the Mikrotik Time out. If One link is dropped, so traffic is going in and out of the same interface, The reads work just fine. I’ve tried doing an SNMP read of the IP on the OSPF interface, and Setting up a loopback interface with a /32 address, neither one lets me SNMP if both links are active. Everything always responds fine to pings. If the Paths are Equal cost, SNMP reads work just fine.
Anyone else run into this?
Is there something simple I’m missing, or do I have to go and mess around with firewall output rules and try to force the SNMP Traffic leaving the router over a specific interface.
-Nate
I screwed around for an hour trying to make this work. There was no combination of route marking, input output chain stuff, redirect, etc that will make it work for me. I really wish this could be fixed to reply on the IP that the request came in on - Microsoft SNMP does this! Maybe we both need to send requests to support to ask that they fix it. Almost all of our MT routers are multihomed now and it’s becoming a bigger pain to deal with.
I know UDP is stateless. I know I should be able to use the NAT redirect function to place it in the connection table and reply with the same IP. Doesn’t work like I’d expect it to.
Request: Please let the snmp packets leave with the same IP as the original request, no matter what interface it is sent from.
At least I’m not the only one with this problem. I will send a request to support and see what they have to say.
Try placing an IP on a loopback (bridge with no ports attached) interface and query that IP?
I have seen problems querying a MT and it sending the response out the port with the IP queried, even if the proper path was out a different port.
did that. empty bridge (loopback), used redirect, tried using a :6161 with dst-nat, nothing I did would make the snmpd respond on the same IP it was requested on.
I also tried with the Loopback address. Does not work
After working with support on this, It is possible. Basically, you need to mark the connections of SNMP Traffic coming in on an interface, then based on the connection-mark, set the routing mark to the same interface on it’s way back out of the router.
Here are the step I’ve implemented.
-
Create a new static default route (0.0.0.0/0) for each uplink interface. Set a Distinct routing mark on each new route.
Example: dst-address=0.0.0.0/0 gateway=10.10.10.1 routing-mark=snmprouting1
-
Create Mangle Rules to mark the connections of Inbound SNMP Traffic.
Example: Chain=input action=mark-connection new-connection-mark=snmp1 protocol=udp dst-port=161 in-interface=ether1 passthrough=yes
3 Create Mangle Rules to Mark routing of the Outbound connection based on the connection mark
Example: Chain=output action=mark-routing new-routing-mark=snmprouting1 passthrough=yes connection-mark=snmp1