ssube
New Around Here
I'm trying to set up SNMP for the router so I can monitor it from an existing Nagios installation on an off-site server. I'm having trouble getting the router to respond to SNMP requests from the WAN, despite trying a few different iptables rules. The router is a new AC66U, running 3.0.0.4.270.26 (Merlin build).
I was very recently recently and unfortunately forced to switch to Comcast as an ISP, and they say that they block port 161 and 162 across the network. In light of that, I'm trying to redirect 1610 to 161. I currently have port forwarding set up for my NAS, 1611->161, and SNMP works just fine there.
The first thing I tried was setting up a port forwarding rule from 1610->127.0.0.1:161 (UDP), which didn't seem to work:
The NAS rule is working just fine, as you can see above. Removing the NAS rule and replacing 1610 with 1611 in all the router rules didn't seem to help. The error message (no response) has been consistent regardless of what I try.
My second attempt was to go through iptables itself. I set up the following rules:
From within the LAN, I can see the router just fine:
However, I still can't see it from outside of the LAN, with or without the INPUT chain rule. Both rules appear in iptables:
(listed before any DROP rules, after a few unrelated ACCEPTs)
Still, no luck on external SNMP. I've tried tcpdump to see if the packets are making it in at all, but running tcpdump on the router seems to kick me off wifi within a few seconds, and I haven't had a chance to plug into the router and run it there yet (will edit with updates when I do).
The scripts seem to be working, since the rules appear. Is there anything in the router that could be conflicting? Any router/firmware oddities I should know about that could be getting in the way? If it's purely an iptables rule problem (and not something so obvious you folks catch it right away), I can try this on ServerFault or similar.
I was very recently recently and unfortunately forced to switch to Comcast as an ISP, and they say that they block port 161 and 162 across the network. In light of that, I'm trying to redirect 1610 to 161. I currently have port forwarding set up for my NAS, 1611->161, and SNMP works just fine there.
The first thing I tried was setting up a port forwarding rule from 1610->127.0.0.1:161 (UDP), which didn't seem to work:
Code:
[ssube@centos-server ~]$ snmpwalk -v 2c -c [name] [ip]:1610
Timeout: No Response from [ip]:1610
[ssube@centos-server ~]$ snmpwalk -v 2c -c [name] [ip]:1611
SNMPv2-MIB::sysDescr.0 = STRING: Linux Triton 2.6.32.12 #2668 Tue Dec 11 12:36:30 CST 2012 armv5tel
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10The NAS rule is working just fine, as you can see above. Removing the NAS rule and replacing 1610 with 1611 in all the router rules didn't seem to help. The error message (no response) has been consistent regardless of what I try.
My second attempt was to go through iptables itself. I set up the following rules:
Code:
boss@RT-AC66U:/jffs/scripts# cat firewall-start
#!/bin/sh
iptables -I INPUT 1 -p udp --dport 1610 -j ACCEPT
boss@RT-AC66U:/jffs/scripts# cat nat-start
#!/bin/sh
iptables -t nat -A PREROUTING -p udp --dport 1610 -j REDIRECT --to-port 161From within the LAN, I can see the router just fine:
Code:
ssube@KRAKEN /c/Program Files/ConEmu > snmpwalk -v 2c -c [name] 192.168.1.1:1610
SNMPv2-MIB::sysDescr.0 = STRING: Linux RT-AC66U 2.6.22.19 #1 Sun Mar 17 17:16:27 EDT 2013 mips
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10However, I still can't see it from outside of the LAN, with or without the INPUT chain rule. Both rules appear in iptables:
Code:
boss@RT-AC66U:/tmp/home/root# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
.....
ACCEPT udp -- anywhere anywhere udp dpt:1610
Code:
boss@RT-AC66U:/jffs/scripts# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere [ip].comcast.net
REDIRECT udp -- anywhere anywhere udp dpt:1610 redir ports 161Still, no luck on external SNMP. I've tried tcpdump to see if the packets are making it in at all, but running tcpdump on the router seems to kick me off wifi within a few seconds, and I haven't had a chance to plug into the router and run it there yet (will edit with updates when I do).
The scripts seem to be working, since the rules appear. Is there anything in the router that could be conflicting? Any router/firmware oddities I should know about that could be getting in the way? If it's purely an iptables rule problem (and not something so obvious you folks catch it right away), I can try this on ServerFault or similar.
Last edited:
