SNMP security is combined with WebAdmin Security

marco · July 23, 2019, 1:12am

On implementation of SNMP with Zabbix we hit a strange problem on 2 of the 20 devices of a customer (all Balance models 30 to 580)

All devices are PEPVPN connected to the central HUB, so all is routable. We enabled SNMP on the devices with subnet filter and community string. On 18 devices it worked straight after config.

On 2 devices we were unable to snmpwalk on the devices and at first we did not find a reason for it.
After some searching and trying, we noticed a sligth difference in config of the “SYSTEM >> Admin Security”

The 2 devices were configed with “LAN Connection Access Settings” set on “Allow this network only”
And a local site network chosen. After changing the setting to “Any” the SNMPwalk was possible.

This setting has direct effect on the SNMP settings. In some way you could say this is by design.
But we were connecting trough a PEPVPN the IP address of the chosen Interface (local network)
So it is source IP filtered I think, and not by incomming interface.

The question is, is this behaviour by design or is this a bug, should this be independ settings?

TK_Liew · July 23, 2019, 8:18pm

Can you share the device model, hardware revision and firmware version of the 2 affected devices?

marco · July 29, 2019, 9:50am

Number 1: Peplink Balance 30 LTE - 8.0.0 build 3623 (BPL-031-LTE-E) Hardware Revision 1
Number 2: Peplink Balance 580 - 8.0.0 build 2636 (BPL-580) Hardware Revision 3

TK_Liew · July 31, 2019, 1:57am

This is a bug and we have filed this. For the time being, please set LAN Connection Access Settings to Any.

Thanks for reporting this!

DKonkin · September 2, 2019, 7:43am

Hello,
This bug is interesting because it would be nice to have the option to select “Allowed Source IP Subnets” for PepVPN Peers and for SNMPv3 managment hosts polling the Peplink.
Can we have that please?

Regards
Dana

WeiMing · September 3, 2019, 9:12pm

This is possible in firmware 8.0.1 (currently in beta) with a new feature, “Local Service Firewall Rule”.

magnush · September 22, 2020, 12:05am

Hi! Any update on the progress of fixing this bug?

TK_Liew · September 22, 2020, 8:25pm

@magnush, this has been fixed in 8.1.0. You may download it here.

magnush · September 23, 2020, 11:59pm

After upgrading to 8.1.0 the entire Admin Security page is grayed out with the message of the configuration being managed by InControl. This means that i cannot change LAN Connection Access Settings from Any to Allow this network only.

Device Web Admin Management is enabled in InControl in the device group under Settings, Device System Management.
I have tried moving the device to another group where Device Web Admin Management is disabled, but the settings are still grayed out on the remote console of the device.

EDIT: After writing this post the device have been in the group without Device Web Admin Management enabled. I can now edit the Allowed LAN Networks. It is however still troublesome that I cannot change the Allowed LAN Networks setting on the device when Admin Settings is beeing managed by InControl.