Community discussions

MUM Europe 2020
 
htechno
just joined
Topic Author
Posts: 14
Joined: Fri Sep 05, 2014 9:51 am

Connections total-entries

Fri Oct 07, 2016 2:27 pm

Hi there
There is a need to monitor the number of connections
Through the console I can see
/ip firewall connection tracking print
total-entries:
Is it possible to know this information via SNMP? Tell me OID.

How do you watch the value of the number of NAT translations on your network?

Regards,
Pavel
 
pe1chl
Forum Guru
Forum Guru
Posts: 6237
Joined: Mon Jun 08, 2015 12:09 pm

Re: Connections total-entries

Fri Oct 07, 2016 3:37 pm

You can do
/ip firewall connection print count-only
To get only a count. With the new "run script via snmp" feature it should be possible to read that over snmp.
When you succeed in doing that, please show us how. (there is little documentation about this)
 
htechno
just joined
Topic Author
Posts: 14
Joined: Fri Sep 05, 2014 9:51 am

Re: Connections total-entries

Tue Oct 11, 2016 10:08 am

Hi @pe1chi
You can do
/ip firewall connection print count-only
To get only a count. With the new "run script via snmp" feature it should be possible to read that over snmp.
When you succeed in doing that, please show us how. (there is little documentation about this)
Thanks, it's good idea but the principle of the function Run Script are still not clear.
I try snmpwalk
admin@vspotappliance:~$ snmpwalk -c public -v 1 192.168.2.34 1.3.6.1.4.1.14988.1.1.8.1.1
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.6 = STRING: "script1_password_guest"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.7 = STRING: "script2_first"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.8 = STRING: "radius-ping"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.9 = STRING: "script3"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.6 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.7 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.8 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.9 = INTEGER: 0
And than try to snmpset
admin@vspotappliance:~$ snmpset -c public -v 1 192.168.2.34 1.3.6.1.4.1.14988.1.1.8.1.1.3.9 s 1
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.9 = INTEGER: 49
What is the value returned by the snmp (49).
Is it possible to return another value, such as the value of the variable from the script?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6237
Joined: Mon Jun 08, 2015 12:09 pm

Re: Connections total-entries

Tue Oct 11, 2016 10:42 am

It is not clear to me either. Hopefully we will get documentation.
 
User avatar
che
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Fri Oct 07, 2005 1:04 pm

Re: Connections total-entries

Tue Oct 11, 2016 11:04 am

If you want to read variable from the script, make it global and read it's value from /system script environment. I haven't tried it in your scenario, but it might work since that way variable is always accessible and there is a chance it will have functional OID.
 
htechno
just joined
Topic Author
Posts: 14
Joined: Fri Sep 05, 2014 9:51 am

Re: Connections total-entries

Tue Oct 11, 2016 11:26 am

There is OID with next parameters:
mtxrScriptRunOutput
.1.3.6.1.4.1.14988.1.1.18.1.1.2
this oid on get request will run script and return it's output
Of course it does not work. Script Run Counter does not increase, and snmp returns the name of the script.
admin@vspotappliance:~$ snmpget -c public -v 1 192.168.2.34 1.3.6.1.4.1.14988.1.1.8.1.1.2.9
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.9 = STRING: "script3"
We would like to hear comments Mikrotik engineers
 
pe1chl
Forum Guru
Forum Guru
Posts: 6237
Joined: Mon Jun 08, 2015 12:09 pm

Re: Connections total-entries

Tue Oct 11, 2016 12:33 pm

We would like to hear comments Mikrotik engineers
Indeed! I also found those OID in the MIB and tried similar things as you did but never was able to
run a script from SNMP to receive the output value. It would be a useful feature but I would have
preferred a separate table for OID->script mapping and enabling execution of the script instead of
the vague "write permission" that is apparently used now.
 
htechno
just joined
Topic Author
Posts: 14
Joined: Fri Sep 05, 2014 9:51 am

Re: Connections total-entries

Tue Oct 11, 2016 1:09 pm

We would like to hear comments Mikrotik engineers
Indeed! I also found those OID in the MIB and tried similar things as you did but never was able to
run a script from SNMP to receive the output value. It would be a useful feature but I would have
preferred a separate table for OID->script mapping and enabling execution of the script instead of
the vague "write permission" that is apparently used now.
Run the script with the read-only community is not entirely correct from a security standpoint. Who knows what scripts do you have on the equipment, run some risk to the network.
Therefore, I agree with the use of the Write rights.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6237
Joined: Mon Jun 08, 2015 12:09 pm

Re: Connections total-entries

Tue Oct 11, 2016 4:42 pm

Run the script with the read-only community is not entirely correct from a security standpoint. Who knows what scripts do you have on the equipment, run some risk to the network.
Therefore, I agree with the use of the Write rights.
That is why I would have preferred to have an explicit OID->script table so you explicitly open the execution of scripts on reading certain OIDs (that you define yourself)
and you can control which scripts are accessible this way.
When a rights bit is used it should have been an explicit one (SNMP). That still leaves the nasty problem that you cannot predict the OID and keep it the same on a number of routers.
 
htechno
just joined
Topic Author
Posts: 14
Joined: Fri Sep 05, 2014 9:51 am

Re: Connections total-entries

Wed Oct 12, 2016 10:32 am

Hello There,
I did it.
1. Create a new script to request the number of connections
/system script
add name=script3_connections owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip firewall connection print count-only"
2. Through snmpwalk get the script OID table
admin@vspotappliance:~$ snmpwalk -c public -v 2c 192.168.2.34 1.3.6.1.4.1.14988.1.1.8.1.1
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.6 = STRING: "script1_password_guest"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.7 = STRING: "script2_first"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.8 = STRING: "radius-ping"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.9 = STRING: "script3_connections"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.6 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.7 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.8 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.9 = INTEGER: 0
3. You must change the oid, replace 8 to 18
1.3.6.1.4.1.14988.1.1.8.1.1.2.9 to 1.3.6.1.4.1.14988.1.1.18.1.1.2.9
4. Do snmpget. SNMP performs the script and return its output - the number of connections
admin@vspotappliance:~$ snmpget -c public -v 2c 192.168.2.34 1.3.6.1.4.1.14988.1.1.18.1.1.2.9
SNMPv2-SMI::enterprises.14988.1.1.18.1.1.2.9 = STRING: "22"
Profit
 
pe1chl
Forum Guru
Forum Guru
Posts: 6237
Joined: Mon Jun 08, 2015 12:09 pm

Re: Connections total-entries

Wed Oct 12, 2016 3:18 pm

Ok that is reasonably simple.
I still would have preferred when the OID (at least the last number) is settable in some screen and
the scripts would only be runnable when in that table.
Now you have given the script all access and probably people often do that, and it means that now
their scripts can be run by anyone knowing the read-only SNMP community. (usually public)
 
htechno
just joined
Topic Author
Posts: 14
Joined: Fri Sep 05, 2014 9:51 am

Re: Connections total-entries

Wed Oct 12, 2016 9:12 pm

it means that now
their scripts can be run by anyone knowing the read-only SNMP community. (usually public)
In fact no :D
I have noticed that the script is executed and returns its output only if the community has a right to write

It may seem strange because we produce snmpget read operation, but it's true. You do not run the script with read-only community.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6237
Joined: Mon Jun 08, 2015 12:09 pm

Re: Connections total-entries

Wed Oct 12, 2016 9:39 pm

Ah that is why it failed to work here... I experimented but never got the above result.
Well, that is not good either! It should be possible to read from the read-only community and
still execute a (trusted) script to provide the value. E.g. to graph some values using standard
monitoring software that reads all variables using the same community.
 
htechno
just joined
Topic Author
Posts: 14
Joined: Fri Sep 05, 2014 9:51 am

Re: Connections total-entries

Wed Oct 12, 2016 10:09 pm

Ah that is why it failed to work here... I experimented but never got the above result.
Well, that is not good either! It should be possible to read from the read-only community and
still execute a (trusted) script to provide the value. E.g. to graph some values using standard
monitoring software that reads all variables using the same community.
Ok. It is another question. It is suitable for solving my problem

Who is online

Users browsing this forum: MSN [Bot] and 111 guests