Pfsense lost Acces to WAN Gateway.

Amir75

Hello all,

Hi have an issue in acces between my 2 pfsenses and their WAN Gateway (bgp router).

When configuring my WAN interface, everything seems to be good, i can reach my gateway and internet. That's only works about 1 or 2 hours.

After that , Gateway monitoring indicates that my WAN Gateway is offline internet acces goes down. Restarting my WAN interface via Pfsense or changes speed negotation restore the access but still go down after hours.

This only happens with pfsense , i have no issues with other firewall.

I have Pfsenses VM's mount in ESXI , in last version. I'll already try to changes my card type from VMXNET3 To E1000 , disable gateway monitoring, changes speed negociation , perform an hard reset...

Is there a solution to this problem?

Rico

VMware Tools installed?

-Rico

Amir75

Yes Vmware tools are already installed.

In this screenshot Gateways monitoring indactes online but will go offline after hours. Only on WAN interface.

stephenw10

The actual interface shows as down or just the gateway monitoring shows down?

If the interface stays up and that is still the default gateway then traffic will continue to use it. It looks like you have two gateways though, how are they arranged? Are they both WANs? Do you have one set as default in System > Routing > Gateways?
Make sure you do especially if one is an internal gateway.

When it goes down do you still see the monitoring pings leaving the interface? Do you see them hitting the gateway?

Steve

Amir75

Interfaces always stays on , only gateway monitoring shows down.

My Pfsense gets :

2 WAN interfaces
1 LAN interface
1 Monitoring interface.
1 interface for cluster
Actually only 1 WAN interfaces is turned on to avoid conflict with my production environnement.
All interfaces have gateway exept for LAN interface. i set default gateway in automatic. should i change to WAN gateway default ?

I have issue only with WAN interface. when gateway monitoring show WAN gateway offline. ping are not leaving interface. Here is my logs last time when WAN gateway monitoring go down :

Sep 22 14:41:27 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 185.111.53.97 bind_addr 185.x.x.x identifier "WAN2GW "

Sep 22 14:41:27 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 172.16.60.153 bind_addr 172.16.60.158 identifier "GW_SUPERVISION "

Sep 22 14:40:38 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 185.111.53.97 bind_addr 185.x.x.x identifier "WAN2GW "

Sep 22 14:40:38 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 172.16.60.153 bind_addr 172.16.60.158 identifier "GW_SUPERVISION "

Sep 22 14:39:27 dpinger WAN2GW 185.x.x.x: Alarm latency 0us stddev 0us loss 100%

Sep 22 14:39:25 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 185.111.53.97 bind_addr 185.x.x.x identifier "WAN2GW "

Sep 22 14:39:25 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 172.16.60.153 bind_addr 172.16.60.158 identifier "GW_SUPERVISION "

stephenw10

@Amir75 said in Pfsense lost Acces to WAN Gateway.:

Sep 22 14:39:27 dpinger WAN2GW 185.x.x.x: Alarm latency 0us stddev 0us loss 100%

That's the only actual alert there. The other lines are just dpinger starting.

Yes, you should set the default IPv4 gateway to the actual WAN gateway.

If it's not actually sending pings though something must be blocking it. It's doesn't look like you have Snort or pfBlocker running though which would be my first suspects there.

Steve

Amir75

I just set up default Gateway for WAN Interface.

There is an exemple of packet capture when GW monitoring shows offline for WAN Gateway :

19:14:47.392445 IP 185.x.x.x > 185.x.x.x:x ICMP echo request, id 25169, seq 60, length 9
19:14:47.580478 IP 185.x.x.x > 224.0.0.18: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36
19:14:47.580506 IP 185.x.x.x > 224.0.0.18: VRRPv2, Advertisement, vrid 3, prio 0, authtype none, intvl 1s, length 36

Maybe can help ...

stephenw10

Do you see any ping replies?

Are those actually your CARP VIPs advertising there?

Does the Secondary node still see them? It remains as Backup for those VIPs?

Does the secondary node still see the gateway as up?

We can't see if those IPs are different but it's possible you are outbound NATing the gateway pings to a CARP VIP which is incorrect but a relatively common mistake.

Steve

Amir75

Hello stephenw10,

• No, when the gateway's down, we haven't any ping replies
• The slave member still see the gateway when the master detects a problem on it but after a litle time (random time) but it doesn't switch as a master member, the secondary node detects also a problem with the gateway.
• To check if it is about the CARP configuration, we completly turned down the CARP settings on the pfsense's cluster. Please let me know if you see anything which is incorrect in our configuration.

stephenw10

Are your outbound NAT rules catching the ping gateway monitoring traffic?

Did you try setting gateway monitoring to another IP address?

Amir75

Yes i try to set gateway monitoring to google IP 8.8.8.8 and 8.8.4.4.

i also try to disable gateway monitoring , same issue.

For the moment , i reset my cluster of pfsense and only reboot one , in standalone, with minimal configuration. Only 2 interfaces are UP (WAN and LAN). Wan gateway and internet access still offline after hours ...

Outbond Nat Rules are set in Automatic mode , i confirm you rules is catching ping gateway monitoring.

stephenw10

Gateway monitoring should be from the interface IP directly, it should not be caught by outbound NAT rules.
If you are running an HA pair you should be using manual outbound NAT mode to the CARP VIP IPs.
If you are using automatic mode though it will not be NATing the gateway pings so they should work.

However you are seeing complete loss of connectivity after that time?

Does the gateway still appear in the ARP table?

Steve

Amir75

Right now im not running HA pair , i restore my firewalls and only one is up in standalone. I use Nat Outound in automatic mode

Yes still have loss connectivity despite the fact that the configuration is at the minimum. Loss appear after hours.

I see my gateway in ARP Table.

still looking for solution...

Thank you for helping me