Setup SNMP v3 on Mikrotik Router

Setting up SNMP via WinBox is straight forward, the following commands are how to set it up from the command line with some troubleshooting info at the end.

Setup SNMPv3

Setup Community (Change v3Private,encpass, and authpass to their respective names or passwords)

snmp community add name=v3Private encryption-protocol=DES encryption-password=encpass authentication-password=authpass security=private

Enable and set SNMP community (Trap Community needs to match the above command.  Change contact and the location as needed.)

snmp set contact=admin@incredigeek.com location=DeviceLocation trap-community=V3Private

Troubleshooting

Sometimes, for no apparent reason it seems, routerOS will have issues using the default community.  Work around is to create and use a new community.

Cannot connect with AES encryption

AES doesn’t always seem to work reliably.  Seems to work on some and not other.  Work around is to use DES.

Log shows Permission Denied

Double check the allowed from addresses, user, and passwords

Setup SNMP v3 on Debian or Ubuntu

All the following commands should work on Ubuntu, or just about any other Debian based Linux distro.  If you have a firewall on the server, you’ll need to allow UDP on port 161.

Install SNMP

Install snmp, snmpd, and libsnmp.

sudo apt-get -y install snmp snmpd libsnmp-dev

Stop the snmpd service so we can add a user

sudo service snmpd stop

Add SNMP v3 user

  • Change AuthPassword to your Authentication password
  • Change CryptoPassword to your Crypto Password
  • Change privUser to your private users username
sudo net-snmp-config --create-snmpv3-user -ro -A AuthPassword -X CryptoPassword -a MD5 -x AES privUser

Change System Location, System Contact, and allow SNMP on all interfaces

Open up the SNMP config file usually in /etc/snmp/snmpd.conf

vi /etc/snmp/snmpd.conf

Search for “sysLocation”  and change to whatever your system location is.

Search for “sysContact” and change it.  It should be right underneath sysLocation.

Now allow SNMP on all interfaces.  Find the following line and comment it out.

agentAddress udp:127.0.0.1:161

Add a # to the beginning.

#agentAddress udp:127.0.0.1:161

Now find this line (should be a couple lines down from the line you just commented out)

#agentAddress udp:161,udp6:[::1]:161

and uncomment it

agentAddress udp:161,udp6:[::1]:161

That will enable it so you can read the SNMP info using the servers IP address, as opposed to being limited to localhost.

Start the SNMP service and Test

Start the SNMP service

service snmpd start

Test with

snmpwalk -v3 -a MD5 -A AuthPassword -X CryptoPassword -l authNoPriv -u privUser localhost

 

Setting up SNMP V3 on CentOS

Install SNMP.

yum install net-snmp net-snmp-utils

Configure the SNMP V3 user by running the following command and then following the prompts it gives you.

net-snmp-create-v3-user

Example: The username is “snmpadmin” and the password is”r123456″

[root@localhost ~]# net-snmp-create-v3-user
Enter a SNMPv3 user name to create:
snmpadmin
Enter authentication pass-phrase:
r123456
Enter encryption pass-phrase:
  [press return to reuse the authentication pass-phrase]

adding the following line to /var/lib/net-snmp/snmpd.conf:
   createUser snmpadmin MD5 "r123456" DES
adding the following line to /etc/snmp/snmpd.conf:
   rwuser snmpadmin
[root@localhost ~]#

Change the syslocation and syscontact in the /etc/snmp/snmpd.conf file.

vi /etc/snmp/snmpd.conf

Start snmpd service

service snmpd start

Configure snmp to start on system boot.

chkconfig snmpd on

Test and make sure snmp is working

replace “password” and “username” with the ones you setup when you created the SNMP V3 user.

snmpwalk -v3 -a MD5 -A password -x DES -X password -l authPriv -u privuser localhost

If you receive something like “snmpwalk: Timeout” then something is not working correctly.  Check to make sure the service is started, and make sure that your firewall is not blocking SNMP.

If you are running a firewall, run the following commands to allow it through.

firewall-cmd --zone=public --add-port=161/udp --permanent
semanage port -a -t snmp_port_t -p udp 161
firewall-cmd --reload

On iptables you should be able to do

 iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 161 -j ACCEPT

or add it to /etc/sysconfig/iptables and then restart iptables