Monitor is FALSE detecting one of my WANs as DOWN and another WAN as UP

dims

@Derelict:

Sometimes when an ISP administratively shuts down a circuit for things like "no more money" they still respond to pings

This is not the case since I tried to ping by ping command line command.

dims

@Derelict:

NOTHING but pinging from the firewall itself matters for gateway monitoring.

Okay. So ping from firewall works, while monitor says gateway is down. How can it be?

What do you have for DNS servers in System > General?

How DNS can affect pinging?

Do you have gateways set on those?

Of course not. DNS servers are given by each provider and the matter of change without notice. So I can't set static DNS addresses on General page. This is design error of pfSense (aka deliberate bug).

What do you have for monitor IP addresses on each gateway?

I am pinging my outer IPs for each provider. This is the only thing I can know, because I pay for them.

Are they the same or different than the DNS servers and gateways?

Of course they are different. I can't set DNS server to ping, because DNS server is not obliged to respong to pings.

Are you trying to use any VPN endpoints as monitor addresses?

I would write this, if I did.

Derelict

Because there are a lot of things that have to happen to make Multi-WAN and gateway monitoring work.

All of the things I mentioned are because those are instances where the firewall has no choice but to install host routes out a specific interface.

When you set a gateway monitor IP address, a host route is created to steer all traffic to that address out a specific interface.

When you set a gateway on a DNS server in System > General the same thing happens a host route for that DNS server out that interface.

When you set an interface on an IPsec configuration, the same thing happens.

I know you think this should all "just work" but in your (uncommon, complicated) situation you have to have everything just right.

So you can either listen and answer questions without all the snark, or don't. Completely up to you.

Okay. So ping from firewall works, while monitor says gateway is down. How can it be?

Show me a packet capture on that interface where the dpinger echo requests are being sent and replies are reliably being received and the gateway is still showing as down.

dims

Currently I tried to monitor the "gateway" host for the provider's modem. Situation with this address is the same: I can ping it from pfSense, but Monitor says it is down.

Here is the screenshot of Monitor:

dims

Here is the proof that ping is OK:

dims

And here is the tcpdump. Address 192.168.100.2 is an address of pfSense re3 interface, which is connected to provider3 modem.

I made a gap at the moment before I started a ping from another session in parallel of tcpdump running.

 tcpdump -vnni re3 icmp
tcpdump: listening on re3, link-type EN10MB (Ethernet), capture size 65535 bytes
17:24:27.148884 IP (tos 0x0, ttl 64, id 4107, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->6685)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 774, length 8
17:24:37.150298 IP (tos 0x0, ttl 64, id 4605, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->6493)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 775, length 8
17:24:37.151978 IP (tos 0x20, ttl 254, id 4605, offset 0, flags [none], proto ICMP (1), length 28)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 44623, seq 775, length 8
17:24:47.152278 IP (tos 0x0, ttl 64, id 13649, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->413f)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 776, length 8
17:24:57.154279 IP (tos 0x0, ttl 64, id 56463, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->9a00)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 777, length 8
17:25:07.155922 IP (tos 0x0, ttl 64, id 37697, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->e34e)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 778, length 8
17:25:07.157606 IP (tos 0x20, ttl 254, id 37697, offset 0, flags [none], proto ICMP (1), length 28)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 44623, seq 778, length 8
17:25:11.218697 IP (tos 0x0, ttl 64, id 64431, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 0 (->f5a4)!)
    192.168.100.2 > 192.168.100.1: ICMP echo request, id 33766, seq 0, length 64
17:25:11.219159 IP (tos 0x0, ttl 64, id 5506, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.100.1 > 192.168.100.2: ICMP echo reply, id 33766, seq 0, length 64
17:25:12.219773 IP (tos 0x0, ttl 64, id 64514, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 0 (->f551)!)
    192.168.100.2 > 192.168.100.1: ICMP echo request, id 33766, seq 1, length 64
17:25:12.220202 IP (tos 0x0, ttl 64, id 5567, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.100.1 > 192.168.100.2: ICMP echo reply, id 33766, seq 1, length 64
17:25:13.220858 IP (tos 0x0, ttl 64, id 64601, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 0 (->f4fa)!)
    192.168.100.2 > 192.168.100.1: ICMP echo request, id 33766, seq 2, length 64
17:25:13.221296 IP (tos 0x0, ttl 64, id 5593, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.100.1 > 192.168.100.2: ICMP echo reply, id 33766, seq 2, length 64
17:25:17.157276 IP (tos 0x0, ttl 64, id 61699, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->858c)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 779, length 8
17:25:17.158900 IP (tos 0x20, ttl 254, id 61699, offset 0, flags [none], proto ICMP (1), length 28)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 44623, seq 779, length 8
17:25:27.159275 IP (tos 0x0, ttl 64, id 53364, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->a61b)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 780, length 8
17:25:37.161277 IP (tos 0x0, ttl 64, id 4829, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->63b3)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 781, length 8
17:25:47.163278 IP (tos 0x0, ttl 64, id 34933, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->ee1a)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 782, length 8
17:25:57.165273 IP (tos 0x0, ttl 64, id 18232, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->2f58)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 783, length 8

17:26:00.753899 IP (tos 0x0, ttl 64, id 13197, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->42cb)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 62267, seq 0, length 64
17:26:00.758603 IP (tos 0x20, ttl 254, id 13197, offset 0, flags [none], proto ICMP (1), length 84)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 62267, seq 0, length 64
17:26:01.755266 IP (tos 0x0, ttl 64, id 38153, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->e14e)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 62267, seq 1, length 64
17:26:01.756999 IP (tos 0x20, ttl 254, id 38153, offset 0, flags [none], proto ICMP (1), length 84)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 62267, seq 1, length 64
17:26:02.756272 IP (tos 0x0, ttl 64, id 49644, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->b46b)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 62267, seq 2, length 64
17:26:02.758051 IP (tos 0x20, ttl 254, id 49644, offset 0, flags [none], proto ICMP (1), length 84)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 62267, seq 2, length 64
17:26:03.757266 IP (tos 0x0, ttl 64, id 18970, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->2c3e)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 62267, seq 3, length 64
17:26:03.759090 IP (tos 0x20, ttl 254, id 18970, offset 0, flags [none], proto ICMP (1), length 84)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 62267, seq 3, length 64
17:26:04.758269 IP (tos 0x0, ttl 64, id 39956, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->da43)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 62267, seq 4, length 64
17:26:04.760083 IP (tos 0x20, ttl 254, id 39956, offset 0, flags [none], proto ICMP (1), length 84)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 62267, seq 4, length 64
17:26:07.167272 IP (tos 0x0, ttl 64, id 19983, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->2881)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 784, length 8
17:26:07.169021 IP (tos 0x20, ttl 254, id 19983, offset 0, flags [none], proto ICMP (1), length 28)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 44623, seq 784, length 8
17:26:11.265949 IP (tos 0x0, ttl 64, id 10046, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 0 (->ca16)!)
    192.168.100.2 > 192.168.100.1: ICMP echo request, id 53386, seq 0, length 64
17:26:11.266466 IP (tos 0x0, ttl 64, id 5877, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.100.1 > 192.168.100.2: ICMP echo reply, id 53386, seq 0, length 64
17:26:12.267013 IP (tos 0x0, ttl 64, id 10061, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 0 (->ca07)!)
    192.168.100.2 > 192.168.100.1: ICMP echo request, id 53386, seq 1, length 64
17:26:12.267436 IP (tos 0x0, ttl 64, id 5911, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.100.1 > 192.168.100.2: ICMP echo reply, id 53386, seq 1, length 64
17:26:13.268090 IP (tos 0x0, ttl 64, id 10073, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 0 (->c9fb)!)
    192.168.100.2 > 192.168.100.1: ICMP echo request, id 53386, seq 2, length 64
17:26:13.268560 IP (tos 0x0, ttl 64, id 5913, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.100.1 > 192.168.100.2: ICMP echo reply, id 53386, seq 2, length 64
17:26:17.169272 IP (tos 0x0, ttl 64, id 18055, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->3009)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 785, length 8
17:26:17.170811 IP (tos 0x20, ttl 254, id 18055, offset 0, flags [none], proto ICMP (1), length 28)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 44623, seq 785, length 8

dims

@Derelict:

host route is created to steer all traffic to that address out a specific interface.

It should not happen silently. A link to this route should appear near appropriate configuration window so that administrator could check if this route interferes with something he set in other places. This is bad design case.

If the system doesn't smart enogh to run out of the box automatically, it should be configurable. If it is not configurable, it should be smart enough to run automatically.

You can't do Apple iOS which doesn't run and unable to configure.

johnpoz

You have bad checksums.. and sending multiple requests and getting back 1 reply..

You have something borked there… So looks like your monitor is going out BAD... And what your dump is showing as answer is your normal ping..

dims

@johnpoz:

You have bad checksums.. and sending multiple requests and getting back 1 reply..

Yes. Why can it happen? It never happen with normal ping. At least I was running it for dozens of minutes and saw no case of packet loss.

And what your dump is showing as answer is your normal ping..

I did only 5 pings, then I pressed Ctrl-C. All other pings are from someone else, I expect dpinger.

johnpoz

exactly if the monitors are going out bad and not getting a response then yes it would show it offline since its not getting an answer to its ping..

Derelict

@dims:

@Derelict:

host route is created to steer all traffic to that address out a specific interface.

It should not happen silently. A link to this route should appear near appropriate configuration window so that administrator could check if this route interferes with something he set in other places. This is bad design case.

There is no choice. It MUST force that route out the set gateway or it will go out the default gateway. The whole point is to bind the traffic to the specific interface. You can always look at the entire routing table in Diagnostics > Routes which is what a competent administrator would do.

If the system doesn't smart enogh to run out of the box automatically, it should be configurable. If it is not configurable, it should be smart enough to run automatically.

You have the special case. That is never going to work out-of-the-box. It will require configuration and tuning to make multi-wan work how you need it to work.

You can't do Apple iOS which doesn't run and unable to configure.

I have no idea what that means.
Diagnostics > Routes

It is smart enough to run automatically. You have the special case/requirements.

Derelict

@johnpoz:

You have bad checksums.. and sending multiple requests and getting back 1 reply..

You have something borked there… So looks like your monitor is going out BAD... And what your dump is showing as answer is your normal ping..

The bad checksums are probably the result of checksum offloading. The OS doesn't calculate the checksums so they are 0 when tcpdump sees it. They are calculated and inserted by the NIC hardware. They are only being displayed because of his tcpdump flags.

17:24:27.148884 IP (tos 0x0, ttl 64, id 4107, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->6685)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 774, length 8
17:24:37.150298 IP (tos 0x0, ttl 64, id 4605, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->6493)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 775, length 8
17:24:37.151978 IP (tos 0x20, ttl 254, id 4605, offset 0, flags [none], proto ICMP (1), length 28)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 44623, seq 775, length 8
17:24:47.152278 IP (tos 0x0, ttl 64, id 13649, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->413f)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 776, length 8
17:24:57.154279 IP (tos 0x0, ttl 64, id 56463, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->9a00)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 777, length 8
17:25:07.155922 IP (tos 0x0, ttl 64, id 37697, offset 0, flags [none], proto ICMP (1), length 28, bad cksum 0 (->e34e)!)
    192.168.100.2 > 95.165.128.1: ICMP echo request, id 44623, seq 778, length 8
17:25:07.157606 IP (tos 0x20, ttl 254, id 37697, offset 0, flags [none], proto ICMP (1), length 28)
    95.165.128.1 > 192.168.100.2: ICMP echo reply, id 44623, seq 778, length 8

You are not getting a LOT of responses. Of course the GW is marked as down.

The default ping interval is two per second. You are doing one every 10 seconds. What else have you changed? How about you post the settings for that gateway - particularly the advanced settings which you have obviously changed from the defaults.

dims

@Derelict:

You are not getting a LOT of responses.

Why? How does dpinger able to achieve this?

The default ping interval is two per second. You are doing one every 10 seconds. What else have you changed?

I played with intervals because I was thinking target host has some sort of flood protection. Neither setting helped, including default one.

How about you post the settings for that gateway - particularly the advanced settings which you have obviously changed from the defaults.

I would not change defaults if they worked.

You are welcome:

dims

@Derelict:

It is smart enough to run automatically. You have the special case/requirements.

Sure, this is what I am saying: pfSense does not work in "special case" of having 3 WANs round robbin.

dims

@johnpoz:

exactly if the monitors are going out bad and not getting a response

Why this can happen? Taking into consideration, that normal ping works?

Derelict

Only your ISP can tell you why sent echo requests are not responded to.

Set all of those settings back to the default. Does it work?

If not, take a quick packet capture for posting here then try setting the data payload to 2. Does it work?

If not, take a quick packet capture for posting here then try setting the data payload to 64. Does it work?

If not, take a quick packet capture for posting here then post all of the above.

dims

@Derelict:

Only your ISP can tell you why sent echo requests are not responded to.

How provider can technically distinguish pings from ping command and from dpinger?

Derelict

The payload size of a normal ping from the ping command is 56 bytes. The payload size of a dpinger ping is 0 by default.

Hence why I asked you to do what I did.

It's pretty rare but some devices freak out with the 0-byte payload even though it's completely legal.

dims

Setting payload to 56 immediately made monitor think gateway is up, thank you!

I have set it to 56 in other monitors, and picture also became better: now zeros in RTT and RTTsd columns!

dims

No, last statement was wrong: after some time these columns got some positive values.