Monitor is FALSE detecting one of my WANs as DOWN and another WAN as UP

Derelict

Probably NOT a bug. Try pinging the monitor IP address from the firewall itself. Diagnostics > Ping or ping from the ssh/console shell.

dims

If by "firewall" you mean pfSense box, that I can ping from it. See above.

rudger_wolvram

Wait, what version of pfsense are you on?
apinger was removed from pfsense somewhere around 2.3.x and replaced with dpinger. I'm on 2.4.2 and can't find apinger or dpinger (unless dpinger is the underlying pinger for gateways) packages.
You may be using a package that shouldn't even be there.

Derelict

Yeah if you have a version that uses apinger, the solution is to upgrade. 2.4.2_1 is current.

dims

I am using 2.3.2-RELEASE (amd64)

I don't see 2.4.2_1 as upgrade option. It writes Latest Base System 2.3.3_1

If I enable unstable and experimental releases, it writes 2.3.6.a.20180103.1249

The date is yesterday.

Are you really pfSense guys, people?

Derelict

2.3.2 does not have apinger, it has dpinger. I don't recall any issues with it since then.

You should upgrade anyway. Take a configuration backup and give it a go. The reported version from there does not always match what you end up with, unfortunately.

dims

Ah, I found newer version on site. Updater just doesn't see it…

dims

I don't beleive it will work. If this is not recognized as a bug or problem, then unprobably it was solved…

Derelict

Are you really pfSense guys, people?

Insults? Really?

Derelict

@dims:

I don't beleive it will work. If this is not recognized as a bug or problem, then unprobably it was solved…

That is because it is probably not a bug or a problem. You have a unique situation and you need to figure out what to monitor so you get the results you are looking for.

Sometimes when an ISP administratively shuts down a circuit for things like "no more money" they still respond to pings for some close addresses, sometimes they hijack DNS or forward all port 80 "you're out of money" page, etc.

Derelict

1. workstation inside LAN

2. pfSense command line

3. provider's router.

And, to add some clarity. NOTHING but pinging from the firewall itself matters for gateway monitoring. That is the only case that has any impact on the monitoring process. It does not care if you can or cannot ping the target from AWS or LAN or the "provider's router."

What do you have for DNS servers in System > General? Do you have gateways set on those?

What do you have for monitor IP addresses on each gateway? Are they the same or different than the DNS servers and gateways?

Are you trying to use any VPN endpoints as monitor addresses?

dims

@Derelict:

Sometimes when an ISP administratively shuts down a circuit for things like "no more money" they still respond to pings

This is not the case since I tried to ping by ping command line command.

dims

@Derelict:

NOTHING but pinging from the firewall itself matters for gateway monitoring.

Okay. So ping from firewall works, while monitor says gateway is down. How can it be?

What do you have for DNS servers in System > General?

How DNS can affect pinging?

Do you have gateways set on those?

Of course not. DNS servers are given by each provider and the matter of change without notice. So I can't set static DNS addresses on General page. This is design error of pfSense (aka deliberate bug).

What do you have for monitor IP addresses on each gateway?

I am pinging my outer IPs for each provider. This is the only thing I can know, because I pay for them.

Are they the same or different than the DNS servers and gateways?

Of course they are different. I can't set DNS server to ping, because DNS server is not obliged to respong to pings.

Are you trying to use any VPN endpoints as monitor addresses?

I would write this, if I did.

Derelict

Because there are a lot of things that have to happen to make Multi-WAN and gateway monitoring work.

All of the things I mentioned are because those are instances where the firewall has no choice but to install host routes out a specific interface.

When you set a gateway monitor IP address, a host route is created to steer all traffic to that address out a specific interface.

When you set a gateway on a DNS server in System > General the same thing happens a host route for that DNS server out that interface.

When you set an interface on an IPsec configuration, the same thing happens.

I know you think this should all "just work" but in your (uncommon, complicated) situation you have to have everything just right.

So you can either listen and answer questions without all the snark, or don't. Completely up to you.

Okay. So ping from firewall works, while monitor says gateway is down. How can it be?

Show me a packet capture on that interface where the dpinger echo requests are being sent and replies are reliably being received and the gateway is still showing as down.

dims

Currently I tried to monitor the "gateway" host for the provider's modem. Situation with this address is the same: I can ping it from pfSense, but Monitor says it is down.

Here is the screenshot of Monitor:

dims

Here is the proof that ping is OK:

dims

And here is the tcpdump. Address 192.168.100.2 is an address of pfSense re3 interface, which is connected to provider3 modem.

I made a gap at the moment before I started a ping from another session in parallel of tcpdump running.

 tcpdump -vnni re3 icmp
tcpdump: listening on re3, link-type EN10MB (Ethernet), capture size 65535 bytes
17:24:27.148884 IP (tos 0x0, ttl 64, id 4107, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->6685)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 774, length 8
17:24:37.150298 IP (tos 0x0, ttl 64, id 4605, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->6493)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 775, length 8
17:24:37.151978 IP (tos 0x20, ttl 254, id 4605, offset 0, flags [none], proto ICMP (1), length 28)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 44623, seq 775, length 8
17:24:47.152278 IP (tos 0x0, ttl 64, id 13649, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->413f)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 776, length 8
17:24:57.154279 IP (tos 0x0, ttl 64, id 56463, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->9a00)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 777, length 8
17:25:07.155922 IP (tos 0x0, ttl 64, id 37697, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->e34e)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 778, length 8
17:25:07.157606 IP (tos 0x20, ttl 254, id 37697, offset 0, flags [none], proto ICMP (1), length 28)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 44623, seq 778, length 8
17:25:11.218697 IP (tos 0x0, ttl 64, id 64431, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 0 (->f5a4)!)
    192.168.100.2 > 192.168.100.1: ICMP echo request, id 33766, seq 0, length 64
17:25:11.219159 IP (tos 0x0, ttl 64, id 5506, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.100.1 > 192.168.100.2: ICMP echo reply, id 33766, seq 0, length 64
17:25:12.219773 IP (tos 0x0, ttl 64, id 64514, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 0 (->f551)!)
    192.168.100.2 > 192.168.100.1: ICMP echo request, id 33766, seq 1, length 64
17:25:12.220202 IP (tos 0x0, ttl 64, id 5567, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.100.1 > 192.168.100.2: ICMP echo reply, id 33766, seq 1, length 64
17:25:13.220858 IP (tos 0x0, ttl 64, id 64601, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 0 (->f4fa)!)
    192.168.100.2 > 192.168.100.1: ICMP echo request, id 33766, seq 2, length 64
17:25:13.221296 IP (tos 0x0, ttl 64, id 5593, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.100.1 > 192.168.100.2: ICMP echo reply, id 33766, seq 2, length 64
17:25:17.157276 IP (tos 0x0, ttl 64, id 61699, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->858c)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 779, length 8
17:25:17.158900 IP (tos 0x20, ttl 254, id 61699, offset 0, flags [none], proto ICMP (1), length 28)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 44623, seq 779, length 8
17:25:27.159275 IP (tos 0x0, ttl 64, id 53364, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->a61b)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 780, length 8
17:25:37.161277 IP (tos 0x0, ttl 64, id 4829, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->63b3)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 781, length 8
17:25:47.163278 IP (tos 0x0, ttl 64, id 34933, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->ee1a)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 782, length 8
17:25:57.165273 IP (tos 0x0, ttl 64, id 18232, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->2f58)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 783, length 8

17:26:00.753899 IP (tos 0x0, ttl 64, id 13197, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->42cb)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 62267, seq 0, length 64
17:26:00.758603 IP (tos 0x20, ttl 254, id 13197, offset 0, flags [none], proto ICMP (1), length 84)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 62267, seq 0, length 64
17:26:01.755266 IP (tos 0x0, ttl 64, id 38153, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->e14e)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 62267, seq 1, length 64
17:26:01.756999 IP (tos 0x20, ttl 254, id 38153, offset 0, flags [none], proto ICMP (1), length 84)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 62267, seq 1, length 64
17:26:02.756272 IP (tos 0x0, ttl 64, id 49644, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->b46b)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 62267, seq 2, length 64
17:26:02.758051 IP (tos 0x20, ttl 254, id 49644, offset 0, flags [none], proto ICMP (1), length 84)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 62267, seq 2, length 64
17:26:03.757266 IP (tos 0x0, ttl 64, id 18970, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->2c3e)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 62267, seq 3, length 64
17:26:03.759090 IP (tos 0x20, ttl 254, id 18970, offset 0, flags [none], proto ICMP (1), length 84)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 62267, seq 3, length 64
17:26:04.758269 IP (tos 0x0, ttl 64, id 39956, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->da43)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 62267, seq 4, length 64
17:26:04.760083 IP (tos 0x20, ttl 254, id 39956, offset 0, flags [none], proto ICMP (1), length 84)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 62267, seq 4, length 64
17:26:07.167272 IP (tos 0x0, ttl 64, id 19983, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->2881)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 784, length 8
17:26:07.169021 IP (tos 0x20, ttl 254, id 19983, offset 0, flags [none], proto ICMP (1), length 28)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 44623, seq 784, length 8
17:26:11.265949 IP (tos 0x0, ttl 64, id 10046, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 0 (->ca16)!)
    192.168.100.2 > 192.168.100.1: ICMP echo request, id 53386, seq 0, length 64
17:26:11.266466 IP (tos 0x0, ttl 64, id 5877, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.100.1 > 192.168.100.2: ICMP echo reply, id 53386, seq 0, length 64
17:26:12.267013 IP (tos 0x0, ttl 64, id 10061, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 0 (->ca07)!)
    192.168.100.2 > 192.168.100.1: ICMP echo request, id 53386, seq 1, length 64
17:26:12.267436 IP (tos 0x0, ttl 64, id 5911, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.100.1 > 192.168.100.2: ICMP echo reply, id 53386, seq 1, length 64
17:26:13.268090 IP (tos 0x0, ttl 64, id 10073, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 0 (->c9fb)!)
    192.168.100.2 > 192.168.100.1: ICMP echo request, id 53386, seq 2, length 64
17:26:13.268560 IP (tos 0x0, ttl 64, id 5913, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.100.1 > 192.168.100.2: ICMP echo reply, id 53386, seq 2, length 64
17:26:17.169272 IP (tos 0x0, ttl 64, id 18055, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->3009)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 785, length 8
17:26:17.170811 IP (tos 0x20, ttl 254, id 18055, offset 0, flags [none], proto ICMP (1), length 28)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 44623, seq 785, length 8

dims

@Derelict:

host route is created to steer all traffic to that address out a specific interface.

It should not happen silently. A link to this route should appear near appropriate configuration window so that administrator could check if this route interferes with something he set in other places. This is bad design case.

If the system doesn't smart enogh to run out of the box automatically, it should be configurable. If it is not configurable, it should be smart enough to run automatically.

You can't do Apple iOS which doesn't run and unable to configure.

johnpoz

You have bad checksums.. and sending multiple requests and getting back 1 reply..

You have something borked there… So looks like your monitor is going out BAD... And what your dump is showing as answer is your normal ping..

dims

@johnpoz:

You have bad checksums.. and sending multiple requests and getting back 1 reply..

Yes. Why can it happen? It never happen with normal ping. At least I was running it for dozens of minutes and saw no case of packet loss.

And what your dump is showing as answer is your normal ping..

I did only 5 pings, then I pressed Ctrl-C. All other pings are from someone else, I expect dpinger.