WAN IP change does not clear NAT/firewall states
-
Hi,
I have a 24x7 SIP monitoring probe running in my DMZ creating constant outbound SIP/RTP traffic. Today I noticed it does not work anymore. Turns out I had a pppoe failure of some sort (whether or not this was a clear disconnect from the carrier or something else is not clear to me so far). After a "redial" the pppoe received a new dynamic IP. All went well with the exception of the SIP session which was still up and using the old WAN IP:
Jun 14 03:05:47 <user.warn>pfSense.koopmann.local dpinger: WAN_PPPOE 109.68.96.128: Alarm latency 64421us stddev 29882us loss 22%
Jun 14 03:05:48 <daemon.err>pfSense.koopmann.local php-fpm[40686]: /rc.dyndns.update: MONITOR: WAN_PPPOE is down, omitting from routing group RoundRobin 109.68.96.128|84.160.51.216|WAN_PPPOE|65.025ms|29.951ms|24%|down
Jun 14 03:07:57 <daemon.err>pfSense.koopmann.local php-fpm[56181]: /rc.newwanip: rc.newwanip: on (IP address: 91.48.59.120) (interface: WAN[wan]) (real interface: pppoe0).The "State Killing on Gateway Failure" flag is not set. What can I look for in the syslog to see what happened? But it would be my expectation that if the WAN IP changes the NAT sessions also are killed. If the pppoe interface goes down, should this not happen automatically even without dpinger/gateway monitoring kicking in? I can just imagine a case in which the pppoe goes down and up so fast that I get a new IP but the gateway monitor process does not notice. In that case the "state killing on gateway failure" would not even help, would it?
Setting the flag might/should help but if I interpret it correctly it will kill all states and since I have two DSL with round robin this does not seem correct.
Regards,
JP</daemon.err></daemon.err></user.warn>