Gateway group: fallback PPPoE gateway connects despite monitoring being disabled

  • I want a CARP slave not to connect via PPPoE unless it becomes master - and actually receives traffic.

    I am seeing now that despite having tried to not use the PPPoE connection at all on the slave, it still tries to connect.

    I will paste my state:

    First the error, as you can see in the PPP logs:

    Feb 24 07:48:31  ppp   [wan_link0] Link: DOWN event  
    Feb 24 07:48:31  ppp   [wan_link0] LCP: Down event  
    Feb 24 07:48:31  ppp   [wan_link0] Link: reconnection attempt 148 in 4 seconds  
    Feb 24 07:48:35  ppp   [wan_link0] Link: reconnection attempt 148  
    Feb 24 07:48:35  ppp   [wan_link0] PPPoE: Connecting to ''  

    WAN interface is configured to be "Dial on demand" iwth an "Idle timeout" of 15.

    In "Routing", there are 2 gateways:
    GW_LAN, connecting to the other pfSense that is the leading firewall via direct IP (not CARP IP)
    WAN_PPPOE, which has options "Gateway Monitoring" == "Disable Gateway Monitoring" and "Gateway Action" == "Disable Gateway Monitoring Action" (sounds a little redendant)
    Both have Weight 1

    In "Gateway Groups", GW_LAN is Tier 1, WAN_PPPOE is "Tier 3". Trigger Level is "member down", I have tried different trigger levels here. Also, setting Tier to "never" does not change anything.
    <- My understanding is that the different tiers would prevent the PPPoE to become active, as long as GW_LAN (Tier 1) is reachable, which seems not to be working.

    In "Firewall Rules", "LAN", I have for "IPv4", I have set the Gateway to my gateway group created and described above. Note: even setting the Gateway to "GW_LAN" here does not change the PPPoE reconnect attempts!

    How can I disable the PPPoE connection attempt unless it is really needed by incoming traffic and the default gateway (other pfSense) being down?

    I think my problem starts even earlier, somehow despite having chosen "dial on demand" and that there should be no traffic, the PPPoE connection is attempted to be established.

  • I have also created firewall rules on LAN + WAN to block everything, IP4+IP6 and any protocol from * to * - just the anti lockout rule is still in place.

    No matter what I do, the "Dial on Demand" dials in though I do not see any demand.

  • 1: try using States to catch outbound traffic
    2: if you selected to use some DNS (in General) through backup link - it will be triggering call, because, you know, there is outbound traffic!
    3: or just make tcpdump and analyze .

  • Thanks for answer!

    1. With states, I have to guess target interface (WAN being the interesting one) via IP? Since I see only 1 interface, I guess the source one.

    2. What is DNS through backup link? In general, I need DNS and would not know how to setup in a different way. Also, I cannot specify it per interface, only for the whole box?

    3. Will research that.

    Shouldn't firewall rules (deny all) come before anything else, including traffic initiated by the pfSense itself, and hence prevent the dial in?

  • While you researching tcpdump, pfSense has an option for logging matching rules (this is configured on rule itself). Try it.