Feature #7671
open
Gateway Monitoring Via Custom Script or Telnet.
Added by Bridgetowermedia IT over 7 years ago.
Updated 9 months ago.
Category:
Gateway Monitoring
Description
It would be very helpful to have the ability to monitor gateways via a custom script or telnet. ISPs are beginning to implement soft disconnects more and more aggressively (we had one implemented the day after the bill was due, on a holiday). We have seen AT&T Uverse, Optimum/Cablevision and Verizon Fios implement these soft disconnects. The disconnect is often a redirect or pop up that prevents browsing, its implemented via DNS poisoning or HTTP redirects, but other traffic is left untouched. ICMP still works as expected and so a gateway failover does not occur, even though the gateway is unusable for browsing traffic. I'd like to be able monitor the status of a gateway by actually attempting to browse with it. This could be done via netcat/telnet, wget curl or a custom script; we expect to see the word "google" when connecting to google.com on port 80.
Files
many ISPs in India also do a similar thing and etisalat in UAE do a similar thing, if the bill isnt paid by the 15th of the month then all of a sudden u open any web page and u keep getting their annoying ad asking to pay bill and it also says to restart router to be able to surf, problem is they still show this page even if bill is paid. ICMP works but browsing goes down till connection is disconnected and then reconnected
Well it seems that the man behind the curtain of support says that this isn't possible... I refuse to accept that this can't be done in a simple, reliable and supportable fashion. Like it or not Netgate I am going to build this feature in on my boxes. I think you greatly underestimate how many of your users will utilize this, many of us running pfsense are also running Teir 3 circuits (that utilize soft discos) to save money. Even outside of that, ICMP is outdated and not at all a good indicator of whether an end user can "access the internet".
I'm going to try building a script that will work with the existing infrastructure. Seems that the best way to go about it (without much effort or risk) is to use pfctl in a script to block ICMP responses from the configured monitoring host when the script detects a "_SoftDown_". SoftDown will be determined by Wget with "--bind-address" on specified gateway to check for a string in the returned html of a specified website. I'll run the script with cron every 5 minutes. Maybe I'll get fancy and try to email the email address configured in the GUI (maybe sending mail to root is enough) when SoftDown occurs.
Interesting.
There is a "Mark Gateway as Down" option in the GUI. If you could figure out how to script that flag, that might be a better way to go.
Alright script is done, its pretty basic, See attached. Took Brendon's advice and used the Mark gateway as down option. Supports 2 gateways.
Not sure how to submit this to the devs to add to the release but maybe they will find it here.
Well that script didn't really seem to work... New Script attached. Sends emails via smtp to address configured on notifications page. drop the script in /etc/phpshellsessions/softdiscomon and use a cronjob to execute with command "/usr/local/pfSsh.php playback softdiscomon" I've currently got this running beautifully on 3 site firewalls with plans to expand to another 20.
I do not know what I have to do here to help. I can help work on this (I can develop), but I have no idea how the coding/plugin system of pfsense works. Where would I start, and what would I mod? Is someone actually working on this?
I have been pushing this for a few years now.
- Target version deleted (
2.5.0)
Since the target version has been deleted, is there anyway to prove to the pfSense devs that this feature is important or worth while?
I have a ton of these firewalls in the wild, and your competitors do Speedtesting, HTTP checks, DNS checks, etc.
ISP's are so horrible now a days, and even QoS ping. So dropping pings just for the heck of it. Dropping anycast addresses.
What can we do to help?
Another downright evil thing that Verizon FIOS does here in the US is: for suspended lines (if customer forgets to pay etc) they will allow ICMP traffic through but nothing else. So pfSense happily chugs along thinking all is fine since pings are successful. So yeah an HTTP check would be one way to mitigate this.
Also available in: Atom
PDF