Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No email alert/notification on gateway down

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 3 Posters 540 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GPz1100G
      GPz1100 @johnpoz
      last edited by

      @johnpoz It is actually down, packet loss at at 100%.

      54401bb9-336b-4e5e-a6cc-0b412f7b590d-image.png

      Here's a snippet from the email of when WAN is down.

      15:49:23 MONITOR: WAN_DHCP has packet loss, omitting from routing group DNS_gateway_group
wan.default.gateway .ip|wan.public.ip|WAN_DHCP|0.731ms|0.076ms|33%|down|highloss

      I do notice something odd when pinging 10.7.1.2 from the pf console.

      ping 10.7.1.2
PING 10.7.1.2 (10.7.1.2): 56 data bytes
ping: sendto: No route to host
92 bytes from 127.0.0.1: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 434e   0 0000  40  01 214b 10.7.1.1 10.7.1.2

      Wireguard interface ip on pf is 10.7.1.1. Remote peer is 10.7.1.2. Makes sense to ping that. How else to know if remote end is down?

      The above ping replies suggest some kind of circular pathway, so perhaps that's not causing the right exit code to trigger an email notification? Remote end only has outbound access so I can't ping its public ip addr.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        It implies that there is local subnet the interface is in and that the system doesn't have a default route that would otherwise be used. Is that the case?

        GPz1100G 1 Reply Last reply Reply Quote 0
        • GPz1100G
          GPz1100 @stephenw10
          last edited by GPz1100

          @stephenw10 You may be on to something. Is there a different way of setting up wireguard so that the gateway is NOT the interface ip addr?

          Or should the gateway be a peer?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            I mean I expect it to be using the gateway IP unless you set it to something else. Using the local interface IP makes no sense to monitor.

            GPz1100G 1 Reply Last reply Reply Quote 0
            • GPz1100G
              GPz1100 @stephenw10
              last edited by

              @stephenw10 I think my strategy is wrong.

              There's 2 peers - pf and remote target. I want pfsense to notify me if it can't ping remote peer.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Yes. By default the gateway monitoring pings the gateway which here is the remote peer. For some reason your screenshot shows the monitoring set to the local peer IP not the gateway. Normally that would only be because it's been configured as that by the user.

                GPz1100G 1 Reply Last reply Reply Quote 0
                • GPz1100G
                  GPz1100 @stephenw10
                  last edited by

                  @stephenw10 That begs the question then do I even need a gateway ip defined in this use case?

                  It seems even without the gateway defined for the wg interface, im still able to access the remote peer from local lan and other vlans (that have proper firewall permissions). In addition, I can access pfsense lan side resources from the remote peer with proper firewall rules.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    You only need a gateway of you want to route traffic via it. If this is a remote-access type setup where the connecting peers are all client devices then no you don't need a gateway defined in pfSense.

                    GPz1100G 1 Reply Last reply Reply Quote 0
                    • GPz1100G
                      GPz1100 @stephenw10
                      last edited by

                      @stephenw10 Consider traffic from lan (say 192.168.1.0/24), to get to 10.7.1.0/24, that has to go through some gateway no? Same for traffic originating at 10.7.1.0/24. Or pfsense sets these routes up internally?

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        If it's a locally connected subnet then it will just be forwarded directly.

                        GPz1100G 1 Reply Last reply Reply Quote 1
                        • GPz1100G
                          GPz1100 @stephenw10
                          last edited by

                          @stephenw10 Thank you for the clarification.

                          Question still stands then, is it possible to monitor that remote peer without using a custom script?

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Yes, you can set it as a gateway. You don't have to route anything to it if there's no subnet behind that peer to route to,.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.