Need better outage detection than just ping

grandrivers

@michmoor ping is not a dependable method alone to drive failover mechanism as it can succeed and you still don't have a functioning connection . I was trying to find feature request from years ago to tag it and bump it

michmoor

@grandrivers feature request for what? What do you feel is a better method to check connectivity

grandrivers

@michmoor had an xincom502 that had multiple methods multiple ways to tell if connection was down they had , traffic flow, http, and multiple pings , pings were problematic for me a couple years after i switched from it to pfsense cause isp blocked ALL ICMP traffic "For our safety" and was that way for years so I had to manually bring that gateway down when it quit working

grandrivers

@grandrivers

other firewalls have more options
https://support.untangle.com/hc/en-us/articles/201787967-What-tests-should-I-use-for-WAN-Failover-

Gertjan

@grandrivers said in Need better outage detection than just ping:

https://support.untangle.com/hc/en-us/articles/201787967-What-tests-should-I-use-for-WAN-Failover-

Ping Test: NG Firewall will ping the specified IP address.
    ARP Test: NG Firewall will ARP for its gateway.
    DNS Test: NG Firewall will make a request to the upstream DNS server.
    HTTP Test: NG Firewall will make a connection to the specified domain name.

Yeah, why not !
What about a small shell script that does just that ?
Host a small file somewhere, or just get the www.google.com page.
Do a dig / drill for "www.google.com" to get the IP, dig will bypass your local DNS, forcing a complete DNS lookup.
Then 'curl' the page.
Compare it with what you've already stored.
If there is a fail, you know the DNS or complete TCP path to Google is gone wrong, which might indicate a problem on yur side, or your ISP.
Or even the POP to Google of your ISP.
( or a huge problem for Google itself )

But serious : a ICMP goes down the pipe and comes back, but TCP and/or UDP fails ?
I imagine that can happen. I never saw that myself, though.

michmoor

@gertjan said in Need better outage detection than just ping:

But serious : a ICMP goes down the pipe and comes back, but TCP and/or UDP fails ?
I imagine that can happen. I never saw that myself, though.

Thats what has me so confused about this topic. The OP complains that pings fail to an ISP but web pages load up. So there isnt a problem then?
Then there was mention of BGP being a problem? Then DNS? Really confused.

So the conclusion im reaching then is that ICMP isnt on its own a good indicator that there is an upstream issue. Fair enough but then you want to test to see if you can reach a site. i.e. google.com. If the site doesn't load you want to trigger a failover? That's non-sensical.

Im all up for multiple checks. But again, uptime-kuma for example can do http/https checks or dns checks but thats independent of the firewall. Its just not clear whats being asked and what the implementation purpose is going to be/used for.

grandrivers

@michmoor first posts pings worked fine !! but isp was down couldn't surf the web

last line was bad attempt at humor I keep forgetting that's not allowed here lol

slimypizza

My solution was to set up a cron job on my hobby domain maintained at a web hosting company. The script pings my home IP address every 5 mins. I only allow pings from that specific web host company by the way. If the ping fails then it sends a text and an email to myself saying the internet is down. The cron job keeps pinging every 5 mins and when the ping is successful again I get another message saying the internet at home has been restored.

grandrivers

@slimypizza this is on dual wan setup for failover would like to keep it automated.

and if pings worked i would have never got the alert in yor setup

stephenw10

Open a feature request: https://redmine.pfsense.org/