====== Remote OPNSense Monitoring with Zabbix ======
We had a request to monitor remote [[https://opnsense.org/|opnSense]] routers with [[https://www.zabbix.com/|Zabbix]], and we wanted to do this as securely as possible. opnSense is an Open Source router firmware based on [[https://www.freebsd.org/|FreeBSD]] that can turn many devices into highly secure router/firewalls. As an Open Source project, there are many additional modules to work with such as Zabbix Agent and SNMP.
We modified the built in templates //FreeBSD by Zabbix Agent// and //OPNsense by SNMP// by cloning them and appending //- Daily Data// to the end of the name for some light customization we wanted.
===== Collect Information =====
- From Router
- Get interface name of WAN network port (normally vtnet0 on virtuals)
- Interfaces | WAN | Device
- Get Host Name
- Lobby | System Information | Name
- Get public IP address
- Lobby | Interfaces | WAN
- From Zabbix
- Get public Interface IP Address
- use something like whatsmyip.org from the LAN the Zabbix server is on, or just look at public IP of router Zabbix server is behind
- Also create an SNMP Community name containing alphanumerics and underscores/dashes (no spaces, please)
===== Set up opnSense router =====
Note: most of the time, to add a plugin, your router firmware needs to be up to date. If you get a message about not being able to install a plugin, you may need to update your firmware.
- Add Zabbix Agent and SNMP Daemon
- System | Firmware | Plugin
- os-zabbix6-agent
- os-net-snmp
- Configure Zabbix Agent
- Services | Zabbix Agent | Settings
- Main Settings tab
- Enabled: check
- Hostname: name of router from //Host Name// above
- Listen Port: 10050
- Listen IP's: Public IP of the router
- Zabbix Server: Public IP of Zabbix Server
- Zabbix Features Tab
- Enable Active Checks: uncheck
- Configure SNMP Daemon
- Services | Net-SNMP
- General Tab
- Enable SNMP Service: check
- SNMP Community: SNMP Community Name you created
- SNMP Location: Some string about where this is
- SNMP Contact: Some responsible party information
- Listen IPs: Public IP of the router
- Set up firewall access
- Create an alias for the ports you need (161 for SNMP, 10050 for Zabbix)
- Firewall | Aliases | Add (plus sign)
- Enabled: check
- Name: monitoring
- Type: Ports
- Content: 161, 10050 (note, press comma or enter after each)
- Description: Ports needed for monitoring Zabbix and SNMP
- Click Apply Button
- Create rule to allow access only from the Zabbix server
- Firewall | Rules | WAN | Add (Plus sign)
- Action: Pass
- Quick: Check
- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: TCP/UDP (Zabbix uses TCP, SNMP uses UDP)
- Source: Single Host or Network
- ip.of.zabbix.server/32
- Destination: WAN Address
- Destination Port Range:
- From: monitoring
- To: monitoring
- Category: Monitoring
- Description: Monitoring network traffic from Zabbix
- Save
- Apply Changes
===== Test from Zabbix Server =====
Log into your Zabbix server. This assumes you have snmpwalk and zabbix_get installed. If not, install them and test. It will save a lot of time. The first command returns several screens of data, the second command returns a single value (uptime, in seconds)
==== Test SNMP ====
snmpwalk -c SNMP_Community_Name -v 1 Public.IP.Of.Router
==== Test Zabbix Agent ====
zabbix_get -s Public.IP.Of.Router -p 10050 -k system.uptime
===== Set up Zabbix =====
Log into the webui of your Zabix server.
- Configuration | Hosts | Create host
- Hostname: name of router that you created under Zabbix Agent
- Templates:
- FreeBSD by Zabbix agent
- OPNsense by SNMP
- Groups (these, or whatever you want)
- Remote
- Network Devices
- Interfaces | Add | Agent
- DNS Name: Resolvable DNS name of monitored router
- Connect To: DNS
- Port: 10050
- Interfaces | Add | SNMP
- DNS Name: Resolvable DNS name of monitored router
- Connect To: DNS
- Port: 161
- SNMP Version: SNMPv1
- SNMP community: SNMP community you created
- Use bulk requests: checked
- Description: free form to describe this server
- Enabled: checked
- Click Add button
NOTE: I used DNS name for the SNMP and Agent addresses, but you can use IP address instead. Just choose IP instead of DNS in //Connect To//
The host will take about an hour to fully populate. It has to Discover all of the network interfaces, which only happens once an hour. But, you should see some data populated within 10-15 minutes. Wait for host to fully populate. In Monitoring | Hosts, you will see the number of graphs jump to 10-15, indicating it has found all of the network interfaces.
===== Create Dashboard (optional) =====
We created a Dashboard for the client named Remote, and we added all of the external traffic graphs to that, so I'll describe how that is done here.
- Monitoring | Dashboard | Remote
- Edit Dashboard
- Add
- Type: Classic
- Source: Graph
- Graph: Find graph for Interface Name on router (from Discovery)
- Show Legend: checked