Gateway group: fallback PPPoE gateway connects despite monitoring being disabled
-
I want a CARP slave not to connect via PPPoE unless it becomes master - and actually receives traffic.
I am seeing now that despite having tried to not use the PPPoE connection at all on the slave, it still tries to connect.
I will paste my state:
First the error, as you can see in the PPP logs:
Feb 24 07:48:31 ppp [wan_link0] Link: DOWN event Feb 24 07:48:31 ppp [wan_link0] LCP: Down event Feb 24 07:48:31 ppp [wan_link0] Link: reconnection attempt 148 in 4 seconds Feb 24 07:48:35 ppp [wan_link0] Link: reconnection attempt 148 Feb 24 07:48:35 ppp [wan_link0] PPPoE: Connecting to ''WAN interface is configured to be "Dial on demand" iwth an "Idle timeout" of 15.
In "Routing", there are 2 gateways:
GW_LAN, connecting to the other pfSense that is the leading firewall via direct IP (not CARP IP)
WAN_PPPOE, which has options "Gateway Monitoring" == "Disable Gateway Monitoring" and "Gateway Action" == "Disable Gateway Monitoring Action" (sounds a little redendant)
Both have Weight 1In "Gateway Groups", GW_LAN is Tier 1, WAN_PPPOE is "Tier 3". Trigger Level is "member down", I have tried different trigger levels here. Also, setting Tier to "never" does not change anything.
<- My understanding is that the different tiers would prevent the PPPoE to become active, as long as GW_LAN (Tier 1) is reachable, which seems not to be working.In "Firewall Rules", "LAN", I have for "IPv4", I have set the Gateway to my gateway group created and described above. Note: even setting the Gateway to "GW_LAN" here does not change the PPPoE reconnect attempts!
How can I disable the PPPoE connection attempt unless it is really needed by incoming traffic and the default gateway (other pfSense) being down?
I think my problem starts even earlier, somehow despite having chosen "dial on demand" and that there should be no traffic, the PPPoE connection is attempted to be established.
-
I have also created firewall rules on LAN + WAN to block everything, IP4+IP6 and any protocol from * to * - just the anti lockout rule is still in place.
No matter what I do, the "Dial on Demand" dials in though I do not see any demand.
-
1: try using States to catch outbound traffic
2: if you selected to use some DNS (in General) through backup link - it will be triggering call, because, you know, there is outbound traffic!
3: or just make tcpdump and analyze . -
Thanks for answer!
-
With states, I have to guess target interface (WAN being the interesting one) via IP? Since I see only 1 interface, I guess the source one.
-
What is DNS through backup link? In general, I need DNS and would not know how to setup in a different way. Also, I cannot specify it per interface, only for the whole box?
-
Will research that.
Shouldn't firewall rules (deny all) come before anything else, including traffic initiated by the pfSense itself, and hence prevent the dial in?
-
-
While you researching tcpdump, pfSense has an option for logging matching rules (this is configured on rule itself). Try it.