Last Updated on November 2, 2023 by Thiago Crepaldi
From previous posts, we have deployed Zabbix Server on a Proxmox container. We also hardened the installation through Let’s Encrypt certificates for the web frontend and TLS encryption for the communication between Server and Agents/Proxies, after all, although encrypted Zabbix Server <-> Agent/Proxy communication with PSK or SSL certificates 🙂
In this post I will cover how to monitor a pfSense server using Zabbix Agent template. Templates are great because they already pack a bunch of monitoring items, actions, triggers, etc that we would have to add one by one otherwise. Using template is smart because when we need to make changes, we just do it in the template and all hosts that use them will see the new settings. On a manual setup, you would have to make the change in each host, one by one…
This post assumes you already installed and configured your Zabbix Agent, but if you didn’t, refer to How to install and configure Zabbix agent and resume from here when you are done.
Configuring pfSense
On your pfSense, after logging in, you need to enable SNMP service. Go to Services >> SNMP and do as follows:
- SNMP Daemon
- Enable: checked
- SNMP Daemon Settings
- Polling port: 161
- System Location: leave empty or add a friendly location name
- System contact: leave empty or add the sysadmin phone/email
- Read community string: public
- SNMP Traps Enable
- Enable: leave unchecked
- SNMP Modules
- Select all of them, including:
- Mibll
- Netgraph
- PF
- Host resources
- UCD
- Regex
- Select all of them, including:
- Interface Binding
- Internet Protocol: IPv4
- Bind interfaces: All (or whatever you can reach the Zabbix Server, such as LAN)
Click on Save to apply the configuration.
If Zabbix server cannot directly reach pfSense, you need to create a firewall rule to allow it as described on pfSense documentation.
Lastly, we need to install the Zabbix agent on the pfSense. Go to System >> Package Manager and click on Available Packages tab. Scroll to the bottom and click on Install for the zabbix-agent62.
There is a bug on zabbix-agent62 in which after installation, there may not be a Zabbix Agent 6.2 entry in the Services top menu. If that happens to you, uninstall zabbix-agent62 and install zabbix-agent6 instead.
Next, navigate to Services >> Zabbix Agent 6 page and configure it as follows:
- Zabbix Agent Settings
- Enable: checked
- Server: Zabbix IP or FQDN
- Server Active: Zabbix IP or FQDN
- Hostname: Must match the actual pfSense’s
hostname
output - Listen IP: 0.0.0.0 (or leave the default value)
- Listen port: 10050 (or leave the default value)
- Refresh Active Checks: 120 (or leave the default value)
- Timeout: 3 (or leave the default value)
- Buffer send: 5 (or leave the default value)
- Buffer size: 100 (or leave the default value)
- Start agents: 3 (or leave the default value)
- TLS-RELATED Parameters
- TLS Connect: psk
- TLS Accept: psk
- TLS CA: none
- TLS CA system: leave unchecked
- TLS Identity: pfSensePSK (or whatever name you prefer up to 127 chars)
- TLS PSK: f2ed8d2c19ab0f8af75f0285277f04f437aa6e34aafe50a9d5dc05e36364892e (or whatever PSK you have created)
Click on Save to complete the agent configuration.
Configuring Zabbix Server through Web UI
Go to Configuration >> Hosts and click on Create Host button. When the configuration dialog open, the Host tab should be the default one. Fill in the following fields and leave the rest as-is:
- Host
- Host name: Type your hostname as returned by
hostname
command - Templates: Add pfSense by SNMP.
- Optionally, you can also add FreeBSD by Zabbix Agent
- Host Groups: Linux Servers
- Interfaces:
- Add a new interface
- Type: SNMP
- IP Address: Type the server IP or leave empty
- DNS Name: Type the server FQDN or leave it empty
- Connect to: Select IP or DNS
- Port: 161
- Description: Do your thing here
- Monitored by Proxy: (no proxy)
- If you have added FreeBSD template, add a new interface:
- Type: Agent
- IP Address: Type the server IP or leave empty
- DNS Name: Type the server FQDN or leave it empty
- Connect to: Select IP or DNS
- Port: 10050
- Description: Do your thing here
- Monitored by Proxy: (no proxy)
- Add a new interface
- Host name: Type your hostname as returned by
- Encryption
- You can follow a previous post on how to use PSK or Let’s Encrypt Certificates, but in this post I will assume PSK
- Connection to host: PSK
- Connection from host: PSK
- PSK Identity: pfSensePSK
- PSK: f2ed8d2c19ab0f8af75f0285277f04f437aa6e34aafe50a9d5dc05e36364892e
Finish the host creation by clicking Update.
Go to Monitoring >> Latest data. In the filter section, type the name of your pfSense server in the Hosts box, PFSense in the Name box and finally hit Apply. A list of items should be displayed for it, such as PFSense: DHCP Server status, etc
That is it, have fun!
How do you do an active agent? Firewall is behind CGNAT
I am monitoring my pfSense from within my network, not through the WAN port, so there is no CGNAT. For remote monitoring, I connect to the VPN.
Thank you for this guide. I’m deploying a similar setup with pfSense 2.7, but I’m having difficulty getting the Zabbix agent to communicate with the server.
Both the server and the pfSense listen interface are on the same subnet. I have added two rules on pfSense for TCP/10050 and UDP/161.
Your example uses port 10050 for both SNMP and Agent interfaces. Is that correct? Shouldn’t the SNMP interface use port 161?
Thanks for catching the typo. The SNMP interface should use port 161 while the Agent interface should use 10050
I would like to monitor number of DNS queries that sent to the pfsense, where the pfsense here is the local recursive dns for the clients, can I do it? and how?
thanks in advance