SNMP Discovery with pfSense

[photomatix18]

Describe the issue I can't seem to get Pi.Alert to ingest the ARP tables from my pfSense box. When I run snmpwalk -v 2c -c public -OXsq 192.168.0.1 .1.3.6.1.2.1.4.22.1.2 from the docker cli, I get the expected output so I know the docker container is able to receive the info.

iso.3.6.1.2.1.4.22.1.2.3.192.168.20.1 "52 54 00 BC CC D4 "
iso.3.6.1.2.1.4.22.1.2.3.192.168.20.10 "52 54 00 57 77 76 "
iso.3.6.1.2.1.4.22.1.2.3.192.168.20.11 "2C A5 9C F0 B3 06 "
iso.3.6.1.2.1.4.22.1.2.3.192.168.20.12 "2C A5 9C F0 B1 91 "
iso.3.6.1.2.1.4.22.1.2.3.192.168.20.13 "EC 71 DB 06 B3 79 "
iso.3.6.1.2.1.4.22.1.2.3.192.168.20.15 "9C 8E CD 38 E2 93 "
iso.3.6.1.2.1.4.22.1.2.3.192.168.20.16 "9C 8E CD 38 E1 F8 "
iso.3.6.1.2.1.4.22.1.2.3.192.168.20.17 "08 A1 89 48 55 D9 "
iso.3.6.1.2.1.4.22.1.2.3.192.168.20.18 "08 A1 89 48 55 75 "

Paste last few lines from pialert.log

You can use tail -20 /home/pi/pialert/front/log/pialert.log

19:09:33 [Plugins] Check if any plugins need to be executed on run type: always_after_scan
19:09:33 [Plugins] ---------------------------------------------
19:09:33 [Plugins] display_name: SNMP discovery
19:09:33 [Plugins] CMD: python3 /home/pi/pialert/front/plugins/snmp_discovery/script.py routers={s-quote}{routers}{s-quote}
19:09:33 [Plugins] Timeout: 5
19:09:33 snmpwalk -v 2c -c public -OXsq 192.168.0.1 .1.3.6.1.2.1.4.22.1.2
19:09:33 [Plugins]: Pre-Resolved CMD: python3/home/pi/pialert/front/plugins/snmp_discovery/script.pyrouters={s-quote}{routers}{s-quote}
19:09:33 [Plugins] Executing: python3 /home/pi/pialert/front/plugins/snmp_discovery/script.py routers={s-quote}{routers}{s-quote}
19:09:33 [Plugins] Resolved : ['python3', '/home/pi/pialert/front/plugins/snmp_discovery/script.py', "routers='snmpwalk -v 2c -c public -OXsq 192.168.0.1 .1.3.6.1.2.1.4.22.1.2'"]
19:09:34 [Plugins] No output received from the plugin SNMPDSC - enable LOG_LEVEL=debug and check logs

Paste your pialert.conf (remove personal info)

#-----------------AUTOGENERATED FILE-----------------#
#                                                    #
#         Generated:  2023-06-20_19-10-06            #
#                                                    #
#   Config file for the LAN intruder detection app:  #
#      https://github.com/jokob-sk/Pi.Alert          #
#                                                    #
#-----------------AUTOGENERATED FILE-----------------#

# General
#---------------------------
ENABLE_ARPSCAN=True
SCAN_SUBNETS=['192.168.0.0/24 --interface=eth0']
LOG_LEVEL='debug'
TIMEZONE='America/Chicago'
ENABLE_PLUGINS=True
PIALERT_WEB_PROTECTION=False
PIALERT_WEB_PASSWORD='8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92'
INCLUDED_SECTIONS=['internet','new_devices','down_devices','events']
SCAN_CYCLE_MINUTES=5
DAYS_TO_KEEP_EVENTS=90
REPORT_DASHBOARD_URL='http://pi.alert'
DIG_GET_IP_ARG='-4 myip.opendns.com @resolver1.opendns.com'
UI_LANG='English'
UI_PRESENCE=['online','offline','archived']

# Email
#---------------------------
REPORT_MAIL=False
SMTP_SERVER='smtp.gmail.com'
SMTP_PORT=587
REPORT_TO='user@gmail.com'
REPORT_FROM='Pi.Alert <user@gmail.com>'
SMTP_SKIP_LOGIN=False
SMTP_USER='user@gmail.com'
SMTP_PASS='password'
SMTP_SKIP_TLS=False
SMTP_FORCE_SSL=False

# Webhooks
#---------------------------
REPORT_WEBHOOK=False
WEBHOOK_URL='http://n8n.local:5555/webhook-test/aaaaaaaa-aaaa-aaaa-aaaaa-aaaaaaaaaaaa'
WEBHOOK_PAYLOAD='json'
WEBHOOK_REQUEST_METHOD='GET'

# Apprise
#---------------------------
REPORT_APPRISE=False
APPRISE_HOST='http://localhost:8000/notify'
APPRISE_URL='mailto://smtp-relay.sendinblue.com:587?from=user@gmail.com&name=apprise&user=user@gmail.com&pass=password&to=user@gmail.com'
APPRISE_PAYLOAD='html'

# NTFY
#---------------------------
REPORT_NTFY=False
NTFY_HOST='https://ntfy.sh'
NTFY_TOPIC='replace_my_secure_topicname_91h889f28'
NTFY_USER='user'
NTFY_PASSWORD='passw0rd'

# PUSHSAFER
#---------------------------
REPORT_PUSHSAFER=False
PUSHSAFER_TOKEN='ApiKey'

# MQTT
#---------------------------
REPORT_MQTT=False
MQTT_BROKER='192.168.1.2'
MQTT_PORT=1883
MQTT_USER='mqtt'
MQTT_PASSWORD='passw0rd'
MQTT_QOS=0
MQTT_DELAY_SEC=2

# DynDNS
#---------------------------
DDNS_ACTIVE=False
DDNS_DOMAIN='your_domain.freeddns.org'
DDNS_USER='dynu_user'
DDNS_PASSWORD='A0000000B0000000C0000000D0000000'
DDNS_UPDATE_URL='https://api.dynu.com/nic/update?'

# PiHole
#---------------------------
PIHOLE_ACTIVE=False
DHCP_ACTIVE=False

# Pholus
#---------------------------
PHOLUS_ACTIVE=False
PHOLUS_TIMEOUT=120
PHOLUS_FORCE=False
PHOLUS_RUN='once'
PHOLUS_RUN_TIMEOUT=600
PHOLUS_RUN_SCHD='0 4 * * *'
PHOLUS_DAYS_DATA=7

# Nmap
#---------------------------
NMAP_ACTIVE=True
NMAP_TIMEOUT=150
NMAP_RUN='none'
NMAP_RUN_SCHD='0 2 * * *'
NMAP_ARGS='-p -10000'

# API
#---------------------------
API_CUSTOM_SQL='SELECT * FROM Devices WHERE dev_PresentLastScan = 0'

# DHCPLSS
#---------------------------
DHCPLSS_RUN='disabled'
DHCPLSS_CMD='python3 /home/pi/pialert/front/plugins/dhcp_leases/script.py paths={paths}'
DHCPLSS_paths_to_check=['/mnt/dhcp1.leases','/mnt/dhcp2.leases']
DHCPLSS_RUN_SCHD='0 2 * * *'
DHCPLSS_RUN_TIMEOUT=5
DHCPLSS_WATCH=['Watched_Value1','Watched_Value4']
DHCPLSS_REPORT_ON=['new','watched-changed']

# DHCPSRVS
#---------------------------
DHCPSRVS_RUN='disabled'
DHCPSRVS_CMD='python3 /home/pi/pialert/front/plugins/dhcp_servers/script.py'
DHCPSRVS_RUN_SCHD='0 2 * * *'
DHCPSRVS_RUN_TIMEOUT=5
DHCPSRVS_WATCH=['Watched_Value1']
DHCPSRVS_REPORT_ON=['new','watched-changed']

# NMAPSRV
#---------------------------
NMAPSRV_RUN='disabled'
NMAPSRV_CMD='SELECT  ns.MAC as Object_PrimaryID, cast({s-quote}http://{s-quote} || dv.dev_LastIP as VARCHAR(100)) || {s-quote}:{s-quote} || cast( SUBSTR(ns.Port ,0, INSTR(ns.Port , {s-quote}/{s-quote})) as VARCHAR(100)) as Object_SecondaryID,  datetime() as DateTime,  ns.Service as Watched_Value1, ns.State as Watched_Value2, dv.dev_Name as Watched_Value3,        {s-quote}null{s-quote} as Watched_Value4,        ns.Extra as Extra, ns.MAC as ForeignKey FROM (SELECT * FROM Nmap_Scan) ns left JOIN (SELECT dev_Name, dev_MAC, dev_LastIP FROM Devices) dv  ON ns.MAC = dv.dev_MAC'
NMAPSRV_RUN_SCHD='0 2 * * *'
NMAPSRV_WATCH=['Watched_Value1']
NMAPSRV_REPORT_ON=['new','watched-changed']

# SNMPDSC
#---------------------------
SNMPDSC_RUN='always_after_scan'
SNMPDSC_CMD='python3 /home/pi/pialert/front/plugins/snmp_discovery/script.py routers={s-quote}{routers}{s-quote}'
SNMPDSC_routers=['snmpwalk -v 2c -c public -OXsq 192.168.0.1 .1.3.6.1.2.1.4.22.1.2']
SNMPDSC_RUN_SCHD='* * * * *'
SNMPDSC_RUN_TIMEOUT=5
SNMPDSC_WATCH=['Watched_Value2']
SNMPDSC_REPORT_ON=['new','watched-changed','watched-not-changed']

# UNDIS
#---------------------------
UNDIS_RUN='disabled'
UNDIS_CMD='python3 /home/pi/pialert/front/plugins/undiscoverables/script.py devices={devices}'
UNDIS_RUN_TIMEOUT=10
UNDIS_devices_to_import=['dummy_router']

# UNFIMP
#---------------------------
UNFIMP_RUN='disabled'
UNFIMP_CMD='python3 /home/pi/pialert/front/plugins/unifi_import/script.py username={username} password={password}  host={host} sites={sites}  protocol={protocol} port={port} version={version}'
UNFIMP_username=''
UNFIMP_password=''
UNFIMP_protocol='https://'
UNFIMP_host='192.168.1.1'
UNFIMP_port='8443'
UNFIMP_version=''
UNFIMP_sites=['default']
UNFIMP_RUN_SCHD='0 2 * * *'
UNFIMP_RUN_TIMEOUT=5
UNFIMP_WATCH=['Watched_Value1','Watched_Value4']
UNFIMP_REPORT_ON=['new','watched-changed']

# WEBMON
#---------------------------
WEBMON_RUN='disabled'
WEBMON_CMD='python3 /home/pi/pialert/front/plugins/website_monitor/script.py urls={urls}'
WEBMON_RUN_SCHD='0 2 * * *'
WEBMON_API_SQL='SELECT * FROM plugin_website_monitor'
WEBMON_RUN_TIMEOUT=5
WEBMON_WATCH=['Watched_Value1']
WEBMON_REPORT_ON=['new','watched-changed']
WEBMON_urls_to_check=['https://google.com','https://duck.com']
WEBMON_SQL_internet_ip='SELECT dev_LastIP FROM Devices WHERE dev_MAC = {s-quote}Internet{s-quote}'

#-------------------IMPORTANT INFO-------------------#
#   This file is ingested by a python script, so if  #
#        modified it needs to use python syntax      #
#-------------------IMPORTANT INFO-------------------#

Paste your docker-compose.yml and .env (remove personal info)

docker run

docker run
  -d
  --name='PiAlert'
  --net='br0'
  --ip='192.168.0.3'
  -e TZ="America/Chicago"
  -e HOST_CONTAINERNAME="PiAlert"
  -e 'TZ'='America/Chicago'
  -e 'TCP_PORT_20211'='20211'
  -v '/mnt/user/appdata/pialert/config':'/home/pi/pialert/config':'rw'
  -v '/mnt/user/appdata/pialert/db':'/home/pi/pialert/db':'rw'
  -v '/mnt/user/appdata/pihole-dot-doh/pihole/pihole-FTL.db':'/etc/pihole/pihole-FTL.db':'rw' 'jokobsk/pi.alert' 

[jokob-sk]

Hi there,

Can you please verify that your returned data has the same format as described in the docs here?

https://github.com/jokob-sk/Pi.Alert/tree/main/front/plugins/snmp_discovery

This issue might be relevant too: https://github.com/jokob-sk/Pi.Alert/issues/256

[photomatix18]

This is my output iso.3.6.1.2.1.4.22.1.2.3.192.168.20.1 "52 54 00 BC CC D4 "

Compared to what is expected iso.3.6.1.2.1.3.1.1.2.3.1.192.168.1.2 "6C 6C 6C 6C 6C 6C "

The only difference I can see is the amount of characters in the strings. Would that affect anything?

[jokob-sk]

Hi!

Thanks for checking!

The SNMP Discovery script is pretty simple:

https://github.com/jokob-sk/Pi.Alert/blob/a318a15cad0d1835b871b4fd27e0a5c040bd7e67/front/plugins/snmp_discovery/script.py#L91

The processing of the output is pretty strict and tested only on the mentioned use-case.

I tried fixing the script for your input, but I'd need you to test this to verify this fix:

https://github.com/jokob-sk/Pi.Alert/commit/a318a15cad0d1835b871b4fd27e0a5c040bd7e67

To test this, grab the latest dev build here:

https://registry.hub.docker.com/r/jokobsk/pi.alert_dev

If this doesn't work, feel free to submit a PR to the above code file that would process pfsense entries appropriately.

Thanks, j

[photomatix18]

Fantastic, that works!

[jokob-sk]

Keeping open until in production image.

[ajtatum]

Would this theoretically also work with OPNsense as well since they're somewhat similar?

[jokob-sk]

It should is the protocol is respected. You can test this in the _dev image :)

[jokob-sk]

Should be included in the latest release > Closing