Weird gateway monitoring IP issue

A Former User · Dec 24, 2018, 11:26 AM

Hi there,

Sorry if this is the wrong section! I'm having a Really weird gateway issue. I've got 2 VPN setup on my pfsense box, Both of them will only work with a specific monitoring IP set, however I can't set that monitoring IP on both interfaces. Whichever gateway has that monitoring IP set, will work, and the other won't. If I try setting both to " Disable Gateway Monitoring " it just stops the gateway from working. " Disable Gateway Monitoring Action " doesn't seem to have any effect on either gateway either. I've been talking to my VPN provider regarding and every IP that they've provided doesn't seem to work for it, on either interfaces. The only IP that works is one of their DNS ips? I'm officially stumped. I've got no friggin idea why it won't work, nor what to do next.

I've also tried setting the gateway from WAN_DHCP to Automatic, but hasn't made a difference.

Any help with this would be greeeeeeeeeatly appreciated. Thank you!

Kind regards,
-K34nu

Grimson · Dec 24, 2018, 11:31 AM

https://www.netgate.com/docs/pfsense/book/routing/gateway-settings.html#monitor-ip really read it.

A Former User · Dec 24, 2018, 11:41 AM

@grimson said in Weird gateway monitoring IP issue:

https://www.netgate.com/docs/pfsense/book/routing/gateway-settings.html#monitor-ip really read it.

I've just re-read it incase I was missing something. Please re-read my post. The gateways will ONLY work with a specific IP address, if I set 1.1.1.1, 8.8.8.8 or any other ip address other than the one i've set, they don't work. If I remove the monitoring IP, it doesn't work. If I swap the ip address from one gateway to the other, it will work. If I do anything on the gateway other than set that specific IP address, it won't work. My VPN provider has teamviewered in to check all of my settings, and can't see anything out of place either, which is why i'm reaching out on the forum.

Thanks,

johnpoz · Dec 24, 2018, 11:50 AM

Can you ping the IP? If you can not ping the IP then no monitoring will not work.. Also dpinger uses 0 payload.. Some IPs do not answer with that, etc.

What does it matter if you ping or not - just set the gateway to always be up..

Normally in a vpn client setup the monitoring IP is going to be the IP you get..

if you change that then yeah you could have some issues depending.. Why do you want/need to change it.. If your vpn connection drops then you loose your IP and the gateway goes down..

Grimson · Dec 24, 2018, 11:50 AM

@k34nut said in Weird gateway monitoring IP issue:

I've just re-read it incase I was missing something.

No you didn't. Let me quote the last two sentences in that paragraph for you:

If the IP address specified in this box is not directly connected, a static route is added to ensure that traffic to the Monitor IP address leaves via the expected gateway. Each gateway must have a unique Monitor IP address.

So that's it. You can't have the same monitoring IP on two different gateways.

Also read here: https://www.netgate.com/docs/pfsense/book/multiwan/multi-wan-caveats-and-considerations.html and this time I wont quote the relevant part, you have to really read the documentation yourself.

A Former User · Dec 24, 2018, 1:29 PM

Hi Johnpoz,

That's the weird part. The IP that's working won't respond to pings. If I set the gateway to be always up by disabling gateway monitoring then it doesn't work either, on either vpn gateway 1 or 2. The "Gateway Action" tickbox doesn't do anything to it. I'm not trying to change it, i'm saying that it won't work without it on either gateway.

@Grimson

I'm sorry, but you haven't read my post.

If I swap the monitoring ip from one vpn gateway to the other, it will work. Meaning, if I manually take the monitoring IP off vpn gateway 1, then place it onto the vpn gateway 2, it will work on the vpn gateway 2, and vpn gateway 1 will stop working. Without said IP will not work. I'm not trying to use a duplicate IP on multiple gateways. I'm stating that a single IP will only work on either gateway. I'm sorry if that was not clear before, but now it is. Also just to clarify once again, i'm not entirely sure if it's meant to or not, however there is nothing present under system / routing / static routes.

This may give a better overview of what my network looks like.

https://nguvu.org/pfsense/pfsense-baseline-setup/

However I have 2 VPN networks instead of one.

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////

edit:

I've figured it out. It was down to the DHCP DNS servers.

Using examples here, and this is a bit convuluted, so please bear with if this isn't brilliantly easy to follow!

VL200 gets pushed through to VPN gateway 1, VL200 has DHCP setup on it with dns address 1.1.1.1 / 1.0.0.1 and the gateway has a monitoring ip of 1.1.1.1. Works fine

VL300 gets pushed through to VPN gateway 2, VL300 has DHCP setup on it with dns address 1.1.1.1 / 1.0.0.1 and the gateway has a monitoring ip of 1.0.0.1. Doesn't work

I'm not entirely sure what posessed me to do it, but, I swapped around the DNS address on VL300, so it's now like this:

VL300 gets pushed through to VPN gateway 2, VL300 has DHCP setup on it with DNS address 1.0.0.1 / 1.1.1.1 and the gateway now has a monitoring ip of 1.0.0.1 - now works.

So the static route blocks off ips unless going through a certain interface? Either way, the DNS wasn't working, and it wasn't using the second DNS, so it couldn't ping out to that monitoring IP, causing the interface to stop working.

I wanted to post the fix incase anyone finds themself in the same position and can't figure it out!

Grimson · Dec 24, 2018, 2:45 PM

@k34nut said in Weird gateway monitoring IP issue:

I've figured it out. It was down to the DHCP DNS servers.

No, it's down to PEBCAK and still is.

Using examples here, and this is a bit convuluted, so please bear with if this isn't brilliantly easy to follow!

VL200 gets pushed through to VPN gateway 1, VL200 has DHCP setup on it with dns address 1.1.1.1 / 1.0.0.1 and the gateway has a monitoring ip of 1.1.1.1. Works fine

VL300 gets pushed through to VPN gateway 2, VL300 has DHCP setup on it with dns address 1.1.1.1 / 1.0.0.1 and the gateway has a monitoring ip of 1.0.0.1. Doesn't work

I'm not entirely sure what posessed me to do it, but, I swapped around the DNS address on VL300, so it's now like this:

VL300 gets pushed through to VPN gateway 2, VL300 has DHCP setup on it with DNS address 1.0.0.1 / 1.1.1.1 and the gateway now has a monitoring ip of 1.0.0.1 - now works.

So first, you only had DNS issues and not complete loss of connectivity, that's a major difference and important information. If you can't do basic troubleshooting beforehand read the Docs: https://www.netgate.com/docs/pfsense/routing/connectivity-troubleshooting.html if that's still too much for you post actual screenshots of your config.

Second, your config is still messed up and will lead to intermittent issues every time a client on one of your VLANS tries to use the secondary DNS address to resolve something, as this address is routed to a different gateway.

So the static route blocks off ips unless going through a certain interface?

No shit sherlock. Learn the basics of networking.

I wanted to post the fix incase anyone finds themself in the same position and can't figure it out!

It's not a fix, just a slightly lesser mess.

A Former User · Dec 24, 2018, 3:54 PM

@grimson Wow. just.. Wow. You keep up the good work there mate and don't let that stick go too far up your arse. Merry xmas.

johnpoz · Dec 24, 2018, 8:21 PM

Looks like you scared him away - I think he deleted his account..