NetXMS agent behind NAT switch

Started by eugene1, October 12, 2023, 10:24:41 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

eugene1

October 12, 2023, 10:24:41 AM Last Edit: October 12, 2023, 10:37:01 AM by eugene1
The NetXMS agent is installed on the computer, and the computer is located behind the NAT router on the LAN interface side in the 192.168.0.0/24 subnet. The NetXMS server is installed externally, on the WAN interface of the router in the 10.10.10.0/24 subnet.
 
Questions that were not answered in the documentation:
- which ports to forward on the router from WAN to LAN? one port - one device? for example WAN:4701 -> 192.168.0.2:4700,  WAN:4702 -> 192.168.0.2:4700
- Is it possible to use a router with port forwarding as a proxy agent?
- the computer with the agent has been moved to a separate zone on the NetXMS server, for this zone the WAN interface node of the router is specified as a proxy. What other settings need to be made?

Manual:  Advanced topics — NetXMS Administrator Guide (4.4.1)

Filipp Sudanov

#1
October 12, 2023, 02:33:39 PM
Yes, to communication from server to agent you need just one port - 4700 on agent side. So yes, if you have several agent nodes behind a firewall, you can forward e.g. 4700, 4701, etc to these agents. Check "Communication through external gateway" checkbox in node properties - this is for the server to allow several nodes with same IP and to build topology information correctly.

However, this approach is not very convenient, as you need to specify port number for each node. Alternatives are:
- if you have a machine behind the NAT that is running all the time (or several machines and at least one of them running) you can configure netxms agent there as proxy. In this case communication to other systems will happen through that proxy, you don't need to open any more ports, network discovery will work
- netxms agent can establish tunnel connection to the server - in this case you don't need any port forwarding


Proxy agent is specifically netxms agent (with a few params in it's config - EnableProxy=yes, EnableSNMPProxy=yes...). For your router to act as a proxy you need to have a way to install netxms agent there. It's possible to build netxms agent for openwrt, or it can work on mikrotik routers that support docker.


If you specify some address as proxy for a zone, that agent should be configured to work as proxy. For your approach with port forwarding there's no need to create a zone or specify proxy (buy anyways you can create a zone to group the nodes or to add a proxy in the future)

eugene1

#2
October 12, 2023, 05:23:55 PM
Quote from: Filipp Sudanov on October 12, 2023, 02:33:39 PMYes, to communication from server to agent you need just one port - 4700 on agent side. So yes, if you have several agent nodes behind a firewall, you can forward e.g. 4700, 4701, etc to these agents. Check "Communication through external gateway" checkbox in node properties - this is for the server to allow several nodes with same IP and to build topology information correctly.

this option is suitable. The node behind the NAT must then be created manually, but in which section? what is the procedure?

eugene1

#3
October 13, 2023, 01:55:00 PM
I figured out how to do it myself, thanks :) . the question is closed
Print
Go Up Pages1
User actions