The Simple Network Management Protocol (SNMP) daemon enables remote monitoring of certain pfSense® software parameters. The SNMP daemon supports monitoring network traffic, network flows, pf queues, and general system information such as CPU, memory, and disk usage.
The SNMP implementation is bsnmpd, which by default only has the most basic management information bases (MIBs) available, and is extended by loadable modules. In addition to acting as an SNMP daemon, it can also send traps to an SNMP server for certain events. These vary based on the modules loaded. For example, network link state changes will generate a trap if the MIB II module is loaded.
The SNMP service can be configured by navigating to Services > SNMP.
The easiest way to see the available data is to run
snmpwalk against the
firewall from another host with
net-snmp or an equivalent package installed.
The full contents of the MIBs available are beyond the scope of this
documentation, but there are plenty of print and online resources for SNMP, and
some of the MIB trees are covered in RFCs. For example, the Host Resources MIB
is defined by RFC 2790.
These options dictate if, and how, the SNMP daemon will run.
Controls whether or not the SNMP daemon will run.
- Polling Port
SNMP connections are made using only UDP, and SNMP clients default to using UDP port 161. This setting controls which port the SNMP daemon uses when listening for client queries.
SNMP clients and/or polling agents must be set to match this value.
- System location
A string to return when an SNMP client requests the system location.
Any text may be used here. For some devices a city or state may be close enough, while others may need more specific detail such as which rack and position in which the system resides.
- System contact
A string defining contact information for the system. It can be a name, an e-mail address, a phone number, or whatever is needed.
- Read Community String
With SNMP, the community string acts as a kind of username and password in one. SNMP clients will need to use this community string when polling.
The default value of
publicis common, so the best practice is to use a different value in addition to restricting access to the SNMP service with firewall rules.
Controls SNMP Trap behavior.
When set, the SNMP daemon will generate SNMP traps. Additionally, when set, the GUI displays options to control SNMP trap behavior.
- Trap server
The hostname or IP address to which the SNMP daemon will forward SNMP traps.
- Trap server port
The port on which the trap server is listening for traps.
By default, SNMP traps are set on UDP port
162. If the SNMP trap server is set for a different port, adjust this setting to match.
- SNMP trap string
The SNMP daemon sends this string along with any SNMP trap.
Loadable modules allow the SNMP daemon to understand and respond to queries for additional system information. Each loaded module consumes additional resources. As such, ensure that only required modules are loaded.
This module provides information specified in the standard MIB II tree, which covers networking information and interfaces. Having this module loaded will provide network interface information including status, hardware and IP addresses, the amount of data transmitted and received, and much more.
The netgraph module provides netgraph-related information such as netgraph node names and statuses, hook peers, and errors.
The PF module provides a wealth of information about the
pfpacket filter. The MIB tree covers aspects of the ruleset, states, interfaces, tables, and ALTQ queues.
- Host Resources
This module provides information about the host itself. This includes uptime, load average and processes, storage types and usage, attached system devices, and even installed software.
This module requires MibII. If MibII is unchecked when this option is checked, MibII will be checked automatically.
This module provides various system information knows as the
ucdavisMIB, or UCD-SNMP-MIB. It provides information about memory usage, disk usage, running programs, and more.
The Regex module is reserved for future use or use by users customizing the code to their needs. It allows creating SNMP counters from log files or other text files.
Binding to a specific local interface can ease communication over VPN tunnels as it eliminates the need for workarounds like static routes. It also provides extra security by not exposing the service to other interfaces. It can also improve communication over multiple local interfaces, since the SNMP daemon will reply from the “closest” address to a source IP address and not the IP address to which a client sent its query.
- Internet Protocol
This controls whether the SNMP daemon will listen for queries on IPv4, IPv6, or both.
- Bind Interfaces
This option configures the SNMP daemon to listen only on the chosen interface or virtual IP address. All interfaces with IP addresses, CARP VIPs, and IP Alias VIPs are displayed in the drop-down list.