Archived community.zenoss.org | full text search
Skip navigation
Currently Being Moderated

Monitoring remote NATed devices without distributed collectors

VERSION 2  Click to view document history
Created on: Dec 17, 2010 8:58 AM by bluefox - Last Modified:  Dec 18, 2010 2:53 PM by bluefox

This solution is imperfect, but will allow monitoring of remote devices behind NAT without dealing with distributed monitoring.

 

What works

SNMP traps and polling with the correct IP.

 

What does not work

Ping will be approximated by "ping to router of NAT device". Still looking for a solution to this problem

 

Any downsides?

It may be too much management for fast changing, large networks.  It may be more suited to smaller needs.

 

Prerequisite

- root access to Zenoss

- Port forwarding configuration access to the router in front of all NATed devices.

 

Steps

 

1)  Make sure all NAT devices have different LAN IPs.  For example, if you  have two remote sites, one of them should use 192.168.1.x addresses and  the other 192.168.2.x.  You wil never be able to monitor intelligently two devices with the same IP.

 

2)  On each firewall, redirect a specific UDP ports for SNMP. One for each  device that needs to be monitored by Zenoss (port 1161 UDP redirected to  192.198.2.10, port 161, port 1162 UDP redirected to 192.168.2.11 port  161, etc)

 

3)  On your Zenoss box, confuse the Linux box into thinking each LAN  devices is actually some other public IP (55.55.55.55 in my example).

 

For example, as root:

iptables -t nat -A OUTPUT -p udp --dport 161 -d 192.168.2.10 -j DNAT --to-destination 55.55.55.55:1161

This will make Linux see the outgoing packet for 192.168.2.10 SNMP port and redirect it to 55.55.55.55 port 1161.

 

Do this for each device behind a NAT.

 

4)  For ping, there is only an imperfect solution: use the router at each  site as the ping destination.  You'll have to use "SNMP down" alerts as a  replacement for a "ping down", as ping will most likely be always up  (unless the router fails)

iptables -t nat -A OUTPUT -p icmp -d 192.168.2/24 -j DNAT --to-destination 55.55.55.55

 

NOTE: iptables won't redirect icmp port, hence the problem with pinging not being perfect. Anyone with a solution is welcomed to add it.

 

You can now ping 192.168.2.x as if you were there! But remember, you're actually pinging the router in front of 192.168.2.x, keep this in mind.

 

5)  To make sure these commands are run at bootime (because you do reboot  your servers every now and then) put all the iptables commands in  /etc/rc.d/rc.local

Comments (0)

More Like This

  • Retrieving data ...

More by bluefox