Need better outage detection than just ping
-
@michmoor ping was outside of their network and still worked just couldn't surf the web or use the internet , will uptime kuma or zabix mark wan down and fail traffic over ?
-
@grandrivers you didn’t really describe the issue you experienced. You mentioned DNS then BGP. Then you ping something outside of your ISPs network but then state pfsense needs better monitoring. I honestly don’t know what the issue is here.
-
@michmoor ping is not a dependable method alone to drive failover mechanism as it can succeed and you still don't have a functioning connection . I was trying to find feature request from years ago to tag it and bump it
-
@grandrivers feature request for what? What do you feel is a better method to check connectivity
-
@michmoor had an xincom502 that had multiple methods multiple ways to tell if connection was down they had , traffic flow, http, and multiple pings , pings were problematic for me a couple years after i switched from it to pfsense cause isp blocked ALL ICMP traffic "For our safety" and was that way for years so I had to manually bring that gateway down when it quit working
-
J jimp moved this topic from CE 2.7.0 Development Snapshots (Retired) on
-
other firewalls have more options
https://support.untangle.com/hc/en-us/articles/201787967-What-tests-should-I-use-for-WAN-Failover- -
@grandrivers said in Need better outage detection than just ping:
https://support.untangle.com/hc/en-us/articles/201787967-What-tests-should-I-use-for-WAN-Failover-
Ping Test: NG Firewall will ping the specified IP address. ARP Test: NG Firewall will ARP for its gateway. DNS Test: NG Firewall will make a request to the upstream DNS server. HTTP Test: NG Firewall will make a connection to the specified domain name.Yeah, why not !
What about a small shell script that does just that ?
Host a small file somewhere, or just get the www.google.com page.
Do a dig / drill for "www.google.com" to get the IP, dig will bypass your local DNS, forcing a complete DNS lookup.
Then 'curl' the page.
Compare it with what you've already stored.
If there is a fail, you know the DNS or complete TCP path to Google is gone wrong, which might indicate a problem on yur side, or your ISP.
Or even the POP to Google of your ISP.
( or a huge problem for Google itself )But serious : a ICMP goes down the pipe and comes back, but TCP and/or UDP fails ?
I imagine that can happen. I never saw that myself, though. -
@gertjan said in Need better outage detection than just ping:
But serious : a ICMP goes down the pipe and comes back, but TCP and/or UDP fails ?
I imagine that can happen. I never saw that myself, though.Thats what has me so confused about this topic. The OP complains that pings fail to an ISP but web pages load up. So there isnt a problem then?
Then there was mention of BGP being a problem? Then DNS? Really confused.So the conclusion im reaching then is that ICMP isnt on its own a good indicator that there is an upstream issue. Fair enough but then you want to test to see if you can reach a site. i.e. google.com. If the site doesn't load you want to trigger a failover? That's non-sensical.
Im all up for multiple checks. But again, uptime-kuma for example can do http/https checks or dns checks but thats independent of the firewall. Its just not clear whats being asked and what the implementation purpose is going to be/used for.
-
@michmoor first posts pings worked fine !! but isp was down couldn't surf the web
last line was bad attempt at humor I keep forgetting that's not allowed here lol
-
My solution was to set up a cron job on my hobby domain maintained at a web hosting company. The script pings my home IP address every 5 mins. I only allow pings from that specific web host company by the way. If the ping fails then it sends a text and an email to myself saying the internet is down. The cron job keeps pinging every 5 mins and when the ping is successful again I get another message saying the internet at home has been restored.
-
@slimypizza this is on dual wan setup for failover would like to keep it automated.
and if pings worked i would have never got the alert in yor setup
-
Open a feature request: https://redmine.pfsense.org/
