[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

OPNsense

OPNsense is an open source, FreeBSD-based firewall and routing software developed by Deciso, a company in the Netherlands that makes hardware and sells support packages for OPNsense. It is a fork of pfSense, which in turn was forked from m0n0wall, which was built on FreeBSD. It was launched in January 2015.

Available solutions




This template is for Zabbix version: 7.0
Also available for: 6.4 6.2 6.0 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/opnsense_snmp?at=release/7.0

OPNsense by SNMP

Overview

Template for monitoring OPNsense by SNMP

Requirements

Zabbix version: 7.0 and higher.

Tested versions

This template has been tested on:

  • OPNsense 22.1.9

Configuration

Zabbix should be configured according to the instructions in the Templates out of the box section.

Setup

  1. Enable bsnmpd daemon by creating new config file "/etc/rc.conf.d/bsnmpd" with the following content: bsnmpd_enable="YES"
  2. Uncomment the following lines in "/etc/snmpd.config" file to enable required SNMP modules: begemotSnmpdModulePath."hostres" = "/usr/lib/snmp_hostres.so" begemotSnmpdModulePath."pf" = "/usr/lib/snmp_pf.so"
  3. Start bsnmpd daemon with the following command: /etc/rc.d/bsnmpd start
  4. Setup a firewall rule to get access from Zabbix proxy or Zabbix server by SNMP (https://docs.opnsense.org/manual/firewall.html).
  5. Link the template to a host.

Macros used

Name Description Default
{$IF.ERRORS.WARN}

Threshold of error packets rate for warning trigger. Can be used with interface name as context.

2
{$IF.UTIL.MAX}

Threshold of interface bandwidth utilization for warning trigger in %. Can be used with interface name as context.

90
{$IFCONTROL}

Macro for operational state of the interface for link down trigger. Can be used with interface name as context.

1
{$NET.IF.IFADMINSTATUS.MATCHES}

This macro is used in filters of network interfaces discovery rule.

^.*
{$NET.IF.IFADMINSTATUS.NOT_MATCHES}

Ignore down(2) administrative status.

^2$
{$NET.IF.IFALIAS.MATCHES}

This macro is used in filters of network interfaces discovery rule.

.*
{$NET.IF.IFALIAS.NOT_MATCHES}

This macro is used in filters of network interfaces discovery rule.

CHANGE_IF_NEEDED
{$NET.IF.IFDESCR.MATCHES}

This macro is used in filters of network interfaces discovery rule.

.*
{$NET.IF.IFDESCR.NOT_MATCHES}

This macro is used in filters of network interfaces discovery rule.

CHANGE_IF_NEEDED
{$NET.IF.IFNAME.NOT_MATCHES}

This macro is used in filters of network interfaces discovery rule.

(^pflog[0-9.]*$|^pfsync[0-9.]*$)
{$NET.IF.IFOPERSTATUS.MATCHES}

This macro is used in filters of network interfaces discovery rule.

^.*$
{$NET.IF.IFOPERSTATUS.NOT_MATCHES}

Ignore notPresent(6).

^6$
{$NET.IF.IFTYPE.MATCHES}

This macro is used in filters of network interfaces discovery rule.

.*
{$NET.IF.IFTYPE.NOT_MATCHES}

This macro is used in filters of network interfaces discovery rule.

CHANGE_IF_NEEDED
{$SNMP.TIMEOUT}

The time interval for SNMP availability trigger.

5m
{$STATE.TABLE.UTIL.MAX}

Threshold of state table utilization trigger in %.

90
{$SOURCE.TRACKING.TABLE.UTIL.MAX}

Threshold of source tracking table utilization trigger in %.

90

Items

Name Description Type Key and additional info
SNMP agent availability

Availability of SNMP checks on the host. The value of this item corresponds to availability icons in the host list.

Possible values:

0 - not available

1 - available

2 - unknown

Zabbix internal zabbix[host,snmp,available]
Packet filter running status

MIB: BEGEMOT-PF-MIB

True if packet filter is currently enabled.

SNMP agent opnsense.pf.status
States table current

MIB: BEGEMOT-PF-MIB

Number of entries in the state table.

SNMP agent opnsense.state.table.count
States table limit

MIB: BEGEMOT-PF-MIB

Maximum number of 'keep state' rules in the ruleset.

SNMP agent opnsense.state.table.limit
States table utilization in %

Utilization of state table in %.

Calculated opnsense.state.table.pused
Source tracking table current

MIB: BEGEMOT-PF-MIB

Number of entries in the source tracking table.

SNMP agent opnsense.source.tracking.table.count
Source tracking table limit

MIB: BEGEMOT-PF-MIB

Maximum number of 'sticky-address' or 'source-track' rules in the ruleset.

SNMP agent opnsense.source.tracking.table.limit
Source tracking table utilization in %

Utilization of source tracking table in %.

Calculated opnsense.source.tracking.table.pused
DHCP server status

MIB: HOST-RESOURCES-MIB

The status of DHCP server process.

SNMP agent opnsense.dhcpd.status

Preprocessing

  • Check for not supported value: any error

    ⛔️Custom on fail: Set value to: 0

DNS server status

MIB: HOST-RESOURCES-MIB

The status of DNS server process.

SNMP agent opnsense.dns.status

Preprocessing

  • Check for not supported value: any error

    ⛔️Custom on fail: Set value to: 0

Web server status

MIB: HOST-RESOURCES-MIB

The status of lighttpd process.

SNMP agent opnsense.lighttpd.status

Preprocessing

  • Check for not supported value: any error

    ⛔️Custom on fail: Set value to: 0

Packets matched a filter rule

MIB: BEGEMOT-PF-MIB

True if the packet was logged with the specified packet filter reason code. The known codes are: match, bad-offset, fragment, short, normalize, and memory.

SNMP agent opnsense.packets.match

Preprocessing

  • Change per second
Packets with bad offset

MIB: BEGEMOT-PF-MIB

True if the packet was logged with the specified packet filter reason code. The known codes are: match, bad-offset, fragment, short, normalize, and memory.

SNMP agent opnsense.packets.bad.offset

Preprocessing

  • Change per second
Fragmented packets

MIB: BEGEMOT-PF-MIB

True if the packet was logged with the specified packet filter reason code. The known codes are: match, bad-offset, fragment, short, normalize, and memory.

SNMP agent opnsense.packets.fragment

Preprocessing

  • Change per second
Short packets

MIB: BEGEMOT-PF-MIB

True if the packet was logged with the specified packet filter reason code. The known codes are: match, bad-offset, fragment, short, normalize, and memory.

SNMP agent opnsense.packets.short

Preprocessing

  • Change per second
Normalized packets

MIB: BEGEMOT-PF-MIB

True if the packet was logged with the specified packet filter reason code. The known codes are: match, bad-offset, fragment, short, normalize, and memory.

SNMP agent opnsense.packets.normalize

Preprocessing

  • Change per second
Packets dropped due to memory limitation

MIB: BEGEMOT-PF-MIB

True if the packet was logged with the specified packet filter reason code. The known codes are: match, bad-offset, fragment, short, normalize, and memory.

SNMP agent opnsense.packets.mem.drop

Preprocessing

  • Change per second
Firewall rules count

MIB: BEGEMOT-PF-MIB

The number of labeled filter rules on this system.

SNMP agent opnsense.rules.count

Triggers

Name Description Expression Severity Dependencies and additional info
OPNsense: No SNMP data collection

SNMP is not available for polling. Please check device connectivity and SNMP settings.

max(/OPNsense by SNMP/zabbix[host,snmp,available],{$SNMP.TIMEOUT})=0 Warning
OPNsense: Packet filter is not running

Please check PF status.

last(/OPNsense by SNMP/opnsense.pf.status)<>1 High
OPNsense: State table usage is high

Please check the number of connections.

min(/OPNsense by SNMP/opnsense.state.table.pused,#3)>{$STATE.TABLE.UTIL.MAX} Warning
OPNsense: Source tracking table usage is high

Please check the number of sticky connections.

min(/OPNsense by SNMP/opnsense.source.tracking.table.pused,#3)>{$SOURCE.TRACKING.TABLE.UTIL.MAX} Warning
OPNsense: DHCP server is not running

Please check DHCP server settings.

last(/OPNsense by SNMP/opnsense.dhcpd.status)=0 Average
OPNsense: DNS server is not running

Please check DNS server settings.

last(/OPNsense by SNMP/opnsense.dns.status)=0 Average
OPNsense: Web server is not running

Please check lighttpd service status.

last(/OPNsense by SNMP/opnsense.lighttpd.status)=0 Average

LLD rule Network interfaces discovery

Name Description Type Key and additional info
Network interfaces discovery

Discovering interfaces from IF-MIB.

SNMP agent opnsense.net.if.discovery

Item prototypes for Network interfaces discovery

Name Description Type Key and additional info
Interface [{#IFNAME}({#IFALIAS})]: Inbound packets discarded

MIB: IF-MIB

The number of inbound packets which were chosen to be discarded

even though no errors had been detected to prevent their being deliverable to a higher-layer protocol.

One possible reason for discarding such a packet could be to free up buffer space.

Discontinuities in the value of this counter can occur at re-initialization of the management system,

and at other times as indicated by the value of ifCounterDiscontinuityTime.

SNMP agent net.if.in.discards[{#SNMPINDEX}]

Preprocessing

  • Change per second:
Interface [{#IFNAME}({#IFALIAS})]: Inbound packets with errors

MIB: IF-MIB

For packet-oriented interfaces, the number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. For character-oriented or fixed-length interfaces, the number of inbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime.

SNMP agent net.if.in.errors[{#SNMPINDEX}]

Preprocessing

  • Change per second:
Interface [{#IFNAME}({#IFALIAS})]: Bits received

MIB: IF-MIB

The total number of octets received on the interface, including framing characters. This object is a 64-bit version of ifInOctets. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime.

SNMP agent net.if.in[{#SNMPINDEX}]

Preprocessing

  • Change per second:
  • Custom multiplier: 8

Interface [{#IFNAME}({#IFALIAS})]: Outbound packets discarded

MIB: IF-MIB

The number of outbound packets which were chosen to be discarded

even though no errors had been detected to prevent their being deliverable to a higher-layer protocol.

One possible reason for discarding such a packet could be to free up buffer space.

Discontinuities in the value of this counter can occur at re-initialization of the management system,

and at other times as indicated by the value of ifCounterDiscontinuityTime.

SNMP agent net.if.out.discards[{#SNMPINDEX}]

Preprocessing

  • Change per second:
Interface [{#IFNAME}({#IFALIAS})]: Outbound packets with errors

MIB: IF-MIB

For packet-oriented interfaces, the number of outbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. For character-oriented or fixed-length interfaces, the number of outbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime.

SNMP agent net.if.out.errors[{#SNMPINDEX}]

Preprocessing

  • Change per second:
Interface [{#IFNAME}({#IFALIAS})]: Bits sent

MIB: IF-MIB

The total number of octets transmitted out of the interface, including framing characters. This object is a 64-bit version of ifOutOctets.Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of ifCounterDiscontinuityTime.

SNMP agent net.if.out[{#SNMPINDEX}]

Preprocessing

  • Change per second:
  • Custom multiplier: 8

Interface [{#IFNAME}({#IFALIAS})]: Speed

MIB: IF-MIB

An estimate of the interface's current bandwidth in units of 1,000,000 bits per second. If this object reports a value of n' then the speed of the interface is somewhere in the range of n-500,000' to`n+499,999'. For interfaces which do not vary in bandwidth or for those where no accurate estimation can be made, this object should contain the nominal bandwidth. For a sub-layer which has no concept of bandwidth, this object should be zero.

SNMP agent net.if.speed[{#SNMPINDEX}]

Preprocessing

  • Custom multiplier: 1000000

  • Discard unchanged with heartbeat: 1h

Interface [{#IFNAME}({#IFALIAS})]: Operational status

MIB: IF-MIB

The current operational state of the interface.

- The testing(3) state indicates that no operational packet scan be passed

- If ifAdminStatus is down(2) then ifOperStatus should be down(2)

- If ifAdminStatus is changed to up(1) then ifOperStatus should change to up(1) if the interface is ready to transmit and receive network traffic

- It should change todormant(5) if the interface is waiting for external actions (such as a serial line waiting for an incoming connection)

- It should remain in the down(2) state if and only if there is a fault that prevents it from going to the up(1) state

- It should remain in the notPresent(6) state if the interface has missing(typically, hardware) components.

SNMP agent net.if.status[{#SNMPINDEX}]

Preprocessing

  • Discard unchanged with heartbeat: 6h

Interface [{#IFNAME}({#IFALIAS})]: Interface type

MIB: IF-MIB

The type of interface.

Additional values for ifType are assigned by the Internet Assigned Numbers Authority (IANA),

through updating the syntax of the IANAifType textual convention.

SNMP agent net.if.type[{#SNMPINDEX}]

Preprocessing

  • Discard unchanged with heartbeat: 6h

Interface [{#IFNAME}({#IFALIAS})]: Rules references count

MIB: BEGEMOT-PF-MIB

The number of rules referencing this interface.

SNMP agent net.if.rules.refs[{#SNMPINDEX}]
Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv4 traffic passed

MIB: BEGEMOT-PF-MIB

IPv4 bits per second passed coming in on this interface.

SNMP agent net.if.in.pass.v4.bps[{#SNMPINDEX}]

Preprocessing

  • Change per second
  • Custom multiplier: 8

Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv4 traffic blocked

MIB: BEGEMOT-PF-MIB

IPv4 bits per second blocked coming in on this interface.

SNMP agent net.if.in.block.v4.bps[{#SNMPINDEX}]

Preprocessing

  • Change per second
  • Custom multiplier: 8

Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv4 traffic passed

MIB: BEGEMOT-PF-MIB

IPv4 bits per second passed going out on this interface.

SNMP agent net.if.out.pass.v4.bps[{#SNMPINDEX}]

Preprocessing

  • Change per second
  • Custom multiplier: 8

Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv4 traffic blocked

MIB: BEGEMOT-PF-MIB

IPv4 bits per second blocked going out on this interface.

SNMP agent net.if.out.block.v4.bps[{#SNMPINDEX}]

Preprocessing

  • Change per second
  • Custom multiplier: 8

Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv4 packets passed

MIB: BEGEMOT-PF-MIB

The number of IPv4 packets passed coming in on this interface.

SNMP agent net.if.in.pass.v4.pps[{#SNMPINDEX}]

Preprocessing

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv4 packets blocked

MIB: BEGEMOT-PF-MIB

The number of IPv4 packets blocked coming in on this interface.

SNMP agent net.if.in.block.v4.pps[{#SNMPINDEX}]

Preprocessing

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv4 packets passed

MIB: BEGEMOT-PF-MIB

The number of IPv4 packets passed going out on this interface.

SNMP agent net.if.out.pass.v4.pps[{#SNMPINDEX}]

Preprocessing

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv4 packets blocked

MIB: BEGEMOT-PF-MIB

The number of IPv4 packets blocked going out on this interface.

SNMP agent net.if.out.block.v4.pps[{#SNMPINDEX}]

Preprocessing

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv6 traffic passed

MIB: BEGEMOT-PF-MIB

IPv6 bits per second passed coming in on this interface.

SNMP agent net.if.in.pass.v6.bps[{#SNMPINDEX}]

Preprocessing

  • Change per second
  • Custom multiplier: 8

Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv6 traffic blocked

MIB: BEGEMOT-PF-MIB

IPv6 bits per second blocked coming in on this interface.

SNMP agent net.if.in.block.v6.bps[{#SNMPINDEX}]

Preprocessing

  • Change per second
  • Custom multiplier: 8

Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv6 traffic passed

MIB: BEGEMOT-PF-MIB

IPv6 bits per second passed going out on this interface.

SNMP agent net.if.out.pass.v6.bps[{#SNMPINDEX}]

Preprocessing

  • Change per second
  • Custom multiplier: 8

Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv6 traffic blocked

MIB: BEGEMOT-PF-MIB

IPv6 bits per second blocked going out on this interface.

SNMP agent net.if.out.block.v6.bps[{#SNMPINDEX}]

Preprocessing

  • Change per second
  • Custom multiplier: 8

Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv6 packets passed

MIB: BEGEMOT-PF-MIB

The number of IPv6 packets passed coming in on this interface.

SNMP agent net.if.in.pass.v6.pps[{#SNMPINDEX}]

Preprocessing

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Inbound IPv6 packets blocked

MIB: BEGEMOT-PF-MIB

The number of IPv6 packets blocked coming in on this interface.

SNMP agent net.if.in.block.v6.pps[{#SNMPINDEX}]

Preprocessing

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv6 packets passed

MIB: BEGEMOT-PF-MIB

The number of IPv6 packets passed going out on this interface.

SNMP agent net.if.out.pass.v6.pps[{#SNMPINDEX}]

Preprocessing

  • Change per second
Interface [{#IFNAME}({#IFALIAS})]: Outbound IPv6 packets blocked

MIB: BEGEMOT-PF-MIB

The number of IPv6 packets blocked going out on this interface.

SNMP agent net.if.out.block.v6.pps[{#SNMPINDEX}]

Preprocessing

  • Change per second

Trigger prototypes for Network interfaces discovery

Name Description Expression Severity Dependencies and additional info
OPNsense: Interface [{#IFNAME}({#IFALIAS})]: High input error rate

It recovers when it is below 80% of the {$IF.ERRORS.WARN:"{#IFNAME}"} threshold.

min(/OPNsense by SNMP/net.if.in.errors[{#SNMPINDEX}],5m)>{$IF.ERRORS.WARN:"{#IFNAME}"} Warning Depends on:
  • OPNsense: Interface [{#IFNAME}({#IFALIAS})]: Link down
OPNsense: Interface [{#IFNAME}({#IFALIAS})]: High inbound bandwidth usage

The utilization of the network interface is close to its estimated maximum bandwidth.

(avg(/OPNsense by SNMP/net.if.in[{#SNMPINDEX}],15m)>({$IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/OPNsense by SNMP/net.if.speed[{#SNMPINDEX}])) and last(/OPNsense by SNMP/net.if.speed[{#SNMPINDEX}])>0 Warning Depends on:
  • OPNsense: Interface [{#IFNAME}({#IFALIAS})]: Link down
OPNsense: Interface [{#IFNAME}({#IFALIAS})]: High output error rate

It recovers when it is below 80% of the {$IF.ERRORS.WARN:"{#IFNAME}"} threshold.

min(/OPNsense by SNMP/net.if.out.errors[{#SNMPINDEX}],5m)>{$IF.ERRORS.WARN:"{#IFNAME}"} Warning Depends on:
  • OPNsense: Interface [{#IFNAME}({#IFALIAS})]: Link down
OPNsense: Interface [{#IFNAME}({#IFALIAS})]: High outbound bandwidth usage

The utilization of the network interface is close to its estimated maximum bandwidth.

(avg(/OPNsense by SNMP/net.if.out[{#SNMPINDEX}],15m)>({$IF.UTIL.MAX:"{#IFNAME}"}/100)*last(/OPNsense by SNMP/net.if.speed[{#SNMPINDEX}])) and last(/OPNsense by SNMP/net.if.speed[{#SNMPINDEX}])>0 Warning Depends on:
  • OPNsense: Interface [{#IFNAME}({#IFALIAS})]: Link down
OPNsense: Interface [{#IFNAME}({#IFALIAS})]: Ethernet has changed to lower speed than it was before

This Ethernet connection has transitioned down from its known maximum speed. This might be a sign of autonegotiation issues. Acknowledge to close the problem manually.

change(/OPNsense by SNMP/net.if.speed[{#SNMPINDEX}])<0 and last(/OPNsense by SNMP/net.if.speed[{#SNMPINDEX}])>0 and ( last(/OPNsense by SNMP/net.if.type[{#SNMPINDEX}])=6 or last(/OPNsense by SNMP/net.if.type[{#SNMPINDEX}])=7 or last(/OPNsense by SNMP/net.if.type[{#SNMPINDEX}])=11 or last(/OPNsense by SNMP/net.if.type[{#SNMPINDEX}])=62 or last(/OPNsense by SNMP/net.if.type[{#SNMPINDEX}])=69 or last(/OPNsense by SNMP/net.if.type[{#SNMPINDEX}])=117 ) and (last(/OPNsense by SNMP/net.if.status[{#SNMPINDEX}])<>2) Info Depends on:
  • OPNsense: Interface [{#IFNAME}({#IFALIAS})]: Link down
OPNsense: Interface [{#IFNAME}({#IFALIAS})]: Link down

This trigger expression works as follows:
1. It can be triggered if the operations status is down.
2. {$IFCONTROL:"{#IFNAME}"}=1 - a user can redefine context macro to value - 0. That marks this interface as not important. No new trigger will be fired if this interface is down.

{$IFCONTROL:"{#IFNAME}"}=1 and (last(/OPNsense by SNMP/net.if.status[{#SNMPINDEX}])=2) Average

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

Articles and documentation

+ Propose new article

Didn't find integration you need?