Bug #6649
closed
pf v2.3.1 - gateway grouping failed to detect a member with no route to the internet - DNS problems also
0%
Description
there are two internet router members added to a Gateway Group. one router (4G wireless modem) became unregistered from the 4G network and was not able to pass traffic to the internet, but pfSense continued to show this network as "online" and continued to send DNS resolution requests to this member and continued to rout traffic to this member with no success. users were randomly not able to access the internet until the group was deleted and the problematic WAN was disabled.
the trigger criteria was "high latency or packet loss" but i believe member down would have failed also.
additionally, i had to uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN" and manually assign DNS servers on the working router because pfSense also continued to send DNS requests to the affected router even AFTER i deleted it.
i dont know what exact parameters are used to detect if a router is offline but the router WAS online but not able to route to the internet. maybe it would be beneficial to have an advanced area where i can specify a few hosts, interval and consecutive failure threshold for the purpose detecting an actual offline state. or use a trace route to detect the next upstream hop to use as a detector would be cool also.
Updated by Phillip Davis about 9 years ago
In this situation you need to specify an alternate monitor IP for the router/gateway. If you let it use the default, then it will just ping the local router (1 hop away), which of course is up!
There is currently no feature for pfSense to automatically find a router "n" hops upstream and use that as the monitor IP. Implementing such a thing would require some thought, e.g. what to do when the ISP upstream routing changes (either the ISP has internal problems and their routing redundancy fails over, or the ISP redesigns their internal network or...) - when pfSense lost response from a existing selected upstream router it would have to then retry the process of finding another upstream router "n" hops away before declaring the WAN link is down.
Normally you just choose an IP address on the public internet that should always respond to ping - e.g. Google's 8.8.8.8 or 8.8.4.4 or...
Updated by Jim Pingle about 9 years ago
- Status changed from New to Not a Bug
- Priority changed from Very High to Normal
- Affected Version deleted (
2.3.1)
Your gateway monitoring for that WAN must not have been correct. For example, pfSense may have been pinging the modem itself and not something upstream. You need to configure a proper monitor IP address for the WAN that will show as 'down' when the line is down.