The Simple Network Management Protocol (SNMP) daemon enables remote monitoring of some pfSense system parameters. Depending on the options chosen, monitoring may be performed for network traffic, network flows, pf queues, and general system information such as CPU, memory, and disk usage. The SNMP implementation used by pfSense is bsnmpd, which by default only has the most basic management information bases (MIBs) available, and is extended by loadable modules. In addition to acting as an SNMP daemon, it can also send traps to an SNMP server for certain events. These vary based on the modules loaded. For example, network link state changes will generate a trap if the MIB II module is loaded.
The SNMP service can be configured by navigating to Services > SNMP.
The easiest way to see the available data is to run
snmpwalk against the
firewall from another host with
net-snmp or an equivalent package installed.
The full contents of the MIBs available are beyond the scope of this book, but
there are plenty of print and online resources for SNMP, and some of the MIB
trees are covered in RFCs. For example, the Host Resources MIB is defined by
SNMP and IPv6¶
bsnmpd daemon does not currently support IPv6.
These options dictate if, and how, the SNMP daemon will run. To turn the SNMP daemon on, check Enable. Once Enable has been checked, the other options may then be changed.
- Polling Port
SNMP connections are made using only UDP, and SNMP clients default to using UDP port 161. This setting controls which port is used for the SNMP daemon, and the SNMP client or polling agent must be changed to match.
- System location
This text field specifies a string to return when the system location is queried via SNMP. Any text may be used here. For some devices a city or state may be close enough, while others may need more specific detail such as which rack and position in which the system resides.
- System contact
A string defining contact information for the system. It can be a name, an e-mail address, a phone number, or whatever is needed.
- Read Community String
With SNMP, the community string acts as a kind of username and password in one. SNMP clients will need to use this community string when polling. The default value of
publicis common, so we strongly recommend using a different value in addition to restricting access to the SNMP service with firewall rules.
To instruct the SNMP daemon to send SNMP traps, check Enable. Once Enable has been checked, the other options may then be changed.
- Trap server
The trap server is the hostname or IP address to which SNMP traps are forwarded.
- Trap server port
By default, SNMP traps are set on UDP port
162. If the SNMP trap receiver is set for a different port, adjust this setting to match.
- SNMP trap string
This string will be sent along with any SNMP trap that is generated.
Loadable modules allow the SNMP daemon to understand and respond to queries for more system information. Each loaded module will consume additional resources. As such, ensure that only required modules are loaded.
This module provides information specified in the standard MIB II tree, which covers networking information and interfaces. Having this module loaded will, among other things, provides network interface information including status, hardware and IP addresses, the amount of data transmitted and received, and much more.
The netgraph module provides some netgraph-related information such as netgraph node names and statuses, hook peers, and errors.
The pf module provides a wealth of information about pf. The MIB tree covers aspects of the ruleset, states, interfaces, tables, and ALTQ queues.
- Host Resources
This module provides information about the host itself, including uptime, load average and processes, storage types and usage, attached system devices, and even installed software. This module requires MibII, so if MibII is unchecked when this option is checked, MibII will be checked automatically.
This module provides various system information knows as the ucdavis MIB, or UCD-SNMP-MIB. It provides information about memory usage, disk usage, running programs, and more.
The Regex module is reserved for future use or use by users customizing the code to their needs. It allows creating SNMP counters from log files or other text files.
This option configures the SNMP daemon to listen only on the chosen interface or virtual IP address. All interfaces with IP addresses, CARP VIPs, and IP Alias VIPs are displayed in the drop-down list.
Binding to a specific local interface can ease communication over VPN tunnels, as it eliminates the need for the previously mentioned static route, and it also provides extra security by not exposing the service to other interfaces. It can also improve communication over multiple local interfaces, since the SNMP daemon will reply from the “closest” address to a source IP address and not the IP address to which the query was sent.