Pfsense with Gateway Monitoring causeing packet loss

zibiam

So useing 2.4.0-RELEASE (amd64) just installed evrtything im new to useing pfsense been useing smoothwall for long time. But once i had evrything up and running noticed kept getting packet loss of voice like teamspeak etc, couldnt figure out cause right away. Manged to track it down. If is disable Gateway Monitoring and Gateway Action this sems to turn off ( dpinger ) evrything is fine no packet loss or anything. Running thit simple wan/lan setup with wan being contected to a cabel modem that just brigde no router fuction. By default sems to try and ping my isp gateway. My quastion am i doing something wrong or it this a bug or whats going on here, sems realy wierd default function like this should cause something as major as packet loss, and as said its not matter of just ping timing out it also causes the thigns like teamspeak and other things to notice this effect. Any information on this would be helpfull as i have tryd to google it but not found anything directly related to this.

johnpoz

Do you have it set to reset states on gateway down?

Advanced, Misc (see attached)

If you have that set and your gateway monitoring is having problems - like the IP your monitoring is not answering pings are they are very long response time.. Then sure its possible your states are getting reset, etc. The pings to your gateway are zero byte in size pings. They should not cause any issues unless the IP your pinging is really bad in responding.. Try picking a different IP than your isp gateway if it sucks in responding to pings.

maxxer

Hi.
Sorry for revamping an old thread but I'm on 2.4.4 and I have a very similar problem: I have two WANs, an ADSL line and a 4G one. The latter works perfectly, while the first is often reported as down with high packetloss.

I've set 1.0.0.1 as monitor for DSL and 8.8.4.4 for the 4G, but I've previously tried with OpenDNS' IPs and the behavior is exactly the same.

In firewall I've configured LAN rules to force the two monitoring IPs to go to the associated GW.
If I ping from a PC in the LAN to 1.0.0.1 all packets goes through without any single loss. If I do the same from pfSense I get the loss reported by gateway monitoring.

I also found a quite strange behavior: if I keep ping open on a LAN PC to 1.0.0.1 it stops receiving responses while pfSense's ping check runs. It also behaves differently if in the ping tester I choose an interface over another: if I set to auto the ping is interrupted on the LAN client.

Pinging from the ADSL modem itself works perfectly.

@johnpoz I cannot see the attachment, are the ones below the settings you were referring to?
thanks

0_1543228541868_screenshot-www.netgate.com-2018.11.26-11-32-36.png

tim.mcmanus

Don't use Google's name servers as a monitoring IP address. They will drop your packets and you'll generate false-positives.

1.0.0.1 is (in theory) located in Australia. Are you geographically close to Australia? Long routes can time out frequently, so you may want to consider a closer address to check.

johnpoz

Yeah those are it - old pictures had some issues coming over to the new forum software.

As to 1.0.0.1 being in AU... You sure about that - its an anycast address.. Thought cloudflare had locations all over the globe, etc.

maxxer

@tim-mcmanus I tried with OpenDNS, GoogleDNS and Cloudflare... They apparently all behave the same.

tim.mcmanus

@johnpoz said in Pfsense with Gateway Monitoring causeing packet loss:

Yeah those are it - old pictures had some issues coming over to the new forum software.

As to 1.0.0.1 being in AU... You sure about that - its an anycast address.. Thought cloudflare had locations all over the globe, etc.

Not sure at all. Did a quick GeoIP lookup, which I generally don't trust as fact, but was curious.

tim.mcmanus

@maxxer said in Pfsense with Gateway Monitoring causeing packet loss:

@tim-mcmanus I tried with OpenDNS, GoogleDNS and Cloudflare... They apparently all behave the same.

I generally stay away from DNS providers IP addresses. I am spoiled, I have a client about 120 miles from me and use their IP address as my check point.

johnpoz

well with a response time of 30ms from chicagoland

user@uc:~$ ping 1.0.0.1
PING 1.0.0.1 (1.0.0.1) 56(84) bytes of data.
64 bytes from 1.0.0.1: icmp_seq=1 ttl=51 time=31.6 ms
64 bytes from 1.0.0.1: icmp_seq=2 ttl=51 time=33.0 ms

Its clearly not in AU ;) hehehe

Unless my pings are breaking physics...
Here is their anycast map
https://www.cloudflare.com/network/
155 DC worldwide.

Why can you not just use your isp gateway as monitor?

maxxer

@johnpoz said in Pfsense with Gateway Monitoring causeing packet loss:

Yeah those are it - old pictures had some issues coming over to the new forum software.

but the settings are correct as unchecked, right?

I don't think the IP itself is being a problem, as I've used GDNS and ODNS in the past happily. It seems something related to 2.4.4, or with my config...

maxxer

Just to report back, in our situation the upstream Zyxel modem had features to block ping, probably to mitigte DoS:

Disabling this stuff fixed gateway monitoring