SNMP

The Simple Network Management Protocol (SNMP) daemon enables remote monitoring of certain pfSense® software parameters. The SNMP daemon supports monitoring network traffic, network flows, pf queues, and general system information such as CPU, memory, and disk usage.

The SNMP implementation is bsnmpd, which by default only has the most basic management information bases (MIBs) available, and is extended by loadable modules. In addition to acting as an SNMP daemon, it can also send traps to an SNMP server for certain events. These vary based on the modules loaded. For example, network link state changes will generate a trap if the MIB II module is loaded.

The SNMP service can be configured by navigating to Services > SNMP.

The easiest way to see the available data is to run snmpwalk against the firewall from another host with net-snmp or an equivalent package installed. The full contents of the MIBs available are beyond the scope of this documentation, but there are plenty of print and online resources for SNMP, and some of the MIB trees are covered in RFCs. For example, the Host Resources MIB is defined by RFC 2790.

SNMP Daemon

These options dictate if, and how, the SNMP daemon will run.

Enable

Controls whether or not the SNMP daemon will run.

Polling Port

SNMP connections are made using only UDP, and SNMP clients default to using UDP port 161. This setting controls which port the SNMP daemon uses when listening for client queries.

SNMP clients and/or polling agents must be set to match this value.

System location

A string to return when an SNMP client requests the system location.

Any text may be used here. For some devices a city or state may be close enough, while others may need more specific detail such as which rack and position in which the system resides.

System contact

A string defining contact information for the system. It can be a name, an e-mail address, a phone number, or whatever is needed.

Read Community String

With SNMP, the community string acts as a kind of username and password in one. SNMP clients will need to use this community string when polling.

Tip

The default value of public is common, so the best practice is to use a different value in addition to restricting access to the SNMP service with firewall rules.

SNMP Traps

Controls SNMP Trap behavior.

Enable

When set, the SNMP daemon will generate SNMP traps. Additionally, when set, the GUI displays options to control SNMP trap behavior.

Trap server

The hostname or IP address to which the SNMP daemon will forward SNMP traps.

Trap server port

The port on which the trap server is listening for traps.

By default, SNMP traps are set on UDP port 162. If the SNMP trap server is set for a different port, adjust this setting to match.

SNMP trap string

The SNMP daemon sends this string along with any SNMP trap.

Modules

Loadable modules allow the SNMP daemon to understand and respond to queries for additional system information. Each loaded module consumes additional resources. As such, ensure that only required modules are loaded.

MibII

This module provides information specified in the standard MIB II tree, which covers networking information and interfaces. Having this module loaded will provide network interface information including status, hardware and IP addresses, the amount of data transmitted and received, and much more.

Netgraph

The netgraph module provides netgraph-related information such as netgraph node names and statuses, hook peers, and errors.

PF

The PF module provides a wealth of information about the pf packet filter. The MIB tree covers aspects of the ruleset, states, interfaces, tables, and ALTQ queues.

Host Resources

This module provides information about the host itself. This includes uptime, load average and processes, storage types and usage, attached system devices, and even installed software.

Note

This module requires MibII. If MibII is unchecked when this option is checked, MibII will be checked automatically.

UCD

This module provides various system information knows as the ucdavis MIB, or UCD-SNMP-MIB. It provides information about memory usage, disk usage, running programs, and more.

Regex

The Regex module is reserved for future use or use by users customizing the code to their needs. It allows creating SNMP counters from log files or other text files.

Interface Binding

Binding to a specific local interface can ease communication over VPN tunnels as it eliminates the need for workarounds like static routes. It also provides extra security by not exposing the service to other interfaces. It can also improve communication over multiple local interfaces, since the SNMP daemon will reply from the “closest” address to a source IP address and not the IP address to which a client sent its query.

Internet Protocol

This controls whether the SNMP daemon will listen for queries on IPv4, IPv6, or both.

Bind Interfaces

This option configures the SNMP daemon to listen only on the chosen interface or virtual IP address. All interfaces with IP addresses, CARP VIPs, and IP Alias VIPs are displayed in the drop-down list.