Gateway down - no notification received via SMTP
-
@phaze75
/etc/inc/gwlb.inc - line https://github.com/pfsense/pfsense/blob/30335336358db3bcdc0ede634a4f81b7f3273c7b/src/etc/inc/gwlb.inc#L120
addnotify_all_remote("WAN went down (and when I receive this, it will be up again !)");This part of the file will now look like :
.... if (!$gateway['action_disable']) { $params .= "-C \"{$alarm_cmd}\" "; /* Command to run on alarm */ notify_all_remote("WAN went down !"); } .... Works for me ^^ I ripped out the WAN cable - counted to 35, put it back in .... The logs mentioned a mail being send - several, actually - my DynDNS's also kicked in. I received also :Notifications in this message: 1
11:22:06 WAN went down (and when I receive this, it will be up again !)
Btw : I'm not advising you to mess up your pfSense ;) @johnpoz said in [Gateway down \- no notification received via SMTP](/post/840825): > Would be a nice if there was some doc listing what exactly will trigger a smtp notification... Better yet would be a way to toggle different notifications on or off.. +1 ! -
@Gertjan said in Gateway down - no notification received via SMTP:
Btw : I'm not advising you to mess up your pfSense ;)
Fiddling around with the code/scripts will bring me exactly there. So I will refrain from leaving the standard. Thanks anyway!
-
If you just want an easy way to get notified when your wan goes offline - other than your users screaming at you ;) There are many a FREE place that will do this for you..
-
@johnpoz said in Gateway down - no notification received via SMTP:
your wan goes offline
Yeah !! Sending a mail with WAN down means : receiving the mail when WAN comes up. Rather useless.
-
@Gertjan said in Gateway down - no notification received via SMTP:
Yeah !! Sending a mail with WAN down means : receiving the mail when WAN comes up. Rather useless.
Guys, am I writing in Chinese?
I am repeating myself (see the quote of my second post below) when I tell you that the pfsense's LAN interface, the SMTP-Server, the Mail-Server and all Email-Clients are all in the same private LAN, that continue to work even with the WAN down. So no, it is not useless, because I would instantly receive pfsense's email notification within my private LAN, if pfsense would just send it. So simple, no strings attached. @phaze75 said in Gateway down - no notification received via SMTP:
Hmm, why? The LAN interface (still up) and the SMTP server are in the same private subnet. I even configured the static IP of the SMTP server instead of the FQDN to prevent any DNS related issues.
-
Non, not Chinese, I understood that part : pfSense can deliver to a local mail on server just fine.
What I do understand just know : your mail box is also on LAN.
I saw your "mail server", and was things "oh, that would be a mail forwarder".My ISP is quiet tolerant, but hosting a mail server locally is impossible : port 25 is blocked for incoming connection. Outgoing 25 is only allowed to the ISP mail servers. In Europe, most ISP's handle this way.
No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan said in Gateway down - no notification received via SMTP:
My ISP is quiet tolerant, but hosting a mail server locally is impossible : port 25 is blocked for incoming connection. Outgoing 25 is only allowed to the ISP mail servers. In Europe, most ISP's handle this way.
I agree regarding to ISP's private contracts. I am lucky. ISP's business contracts have to enable the full IP port range, otherwise companies could not host their SMTP servers on premise. So there will be others too hosting on premise SMTP servers behind pfsense firewalls who could use that feature...
-
It might be nice (for the rest of us) to receive an email once the gateway is back online, simply stating the gateway was down at <datetime> for #h:#m.
perhaps an event on the gateway up event with some log analysis to calc the duration?Any way to do that without an external NMS watching everything?
-
@Gertjan said in Gateway down - no notification received via SMTP:
Outgoing 25 is only allowed to the ISP mail servers. In Europe, most ISP's handle this way.
That is not just EU, most consumer lines are the same way in the US. And even if your isp doesn't block - most major players block you sending them mail if your IP is listed as being dynamic.
-
@johnpoz said in Gateway down - no notification received via SMTP:
That is not just EU, most consumer lines are the same way in the US. And even if your isp doesn't block - most major players block you sending them mail if your IP is listed as being dynamic.
Aren't there any business users of pfsense using business lines that are not blocked by the ISP? I did not understand that pfsense was only for home users using consumer lines.
By the way: since almost 8 years our business is extensively using the on-premise SMTP server via a dynamic IP address including a DynDNS setup. In all those years there has never been an occasion where one of our emails has been blocked. And we have also communicated to major players.
-
What is now to do with the result of this long controversial discussion that even contains a potential solution from @Gertjan (see below)? Is this now taken care of? Do I need to submit a bug report/feature request?
@Gertjan said in Gateway down - no notification received via SMTP:
.... if (!$gateway['action_disable']) { $params .= "-C \"{$alarm_cmd}\" "; /* Command to run on alarm */ notify_all_remote("WAN went down !"); } ....Works for me ^^
I ripped out the WAN cable - counted to 35, put it back in ....
The logs mentioned a mail being send - several, actually - my DynDNS's also kicked in. -
It's just a feature request.
These belong here : pfSense redmine feature requests.Btw, this :
notify_all_remote("WAN went down !");isn't really perfect.
A setup can have more then one WAN interface. It should at least mention which interface.
I didn't check if this part of the code only executes ones, or could execute several times.
And of course, the feature would make sense if a local mail server is available. IMHO : this is very rare. -
In 2.4 you can set a failover group as the default gateway so you should be able to send an email as long as one WAN is still up. Though I've never tested that.
Steve
-
Sorry for resurrecting an older thread, but I wanted to point out another use case for this type of alert that I don't see mentioned here: pfSense high availability (HA) firewall pairs. I've just encountered an issue where an "incorrect" outbound NAT rule rendered the gateway down on the inactive/backup firewall which went unnoticed until I logged into the unit and tried to access the internet. I finally tracked down the issue to an outbound NAT rule configured on the WAN interface to NAT traffic to an IP alias bound to the loopback interface. The problem with the rule was it was supposed to be scoped to specific hosts on a LAN interface, but that was mistakenly left off so it was applied to "any" source. On the active firewall, this NAT rule was seemingly ignored and the ICMP tests of the gateway IP came from the unique IP assigned to the WAN interface of the active/master firewall and therefore succeeded (and good thing too, or I would have lost remote access to the network completely). However, on the inactive/backup firewall the ICMP tests were being manipulated by the NAT rule and were attempting to be sourced from the IP alias, which of course didn't work because the firewall was the backup unit.
A notification about this would have been nice and helped me to track down the failure faster since it related to a firewall change from several days prior. My external monitoring did not detect the issue since inbound ICMP was not impacted by the outbound NAT rule.
-
It would be difficult to add some sort of alert that didn't get triggered incorrectly in some setups. Some people run all sorts of weird setups!
-
@stephenw10 Fair point. I just figure it would be helpful for an admin to get an alert that their gateway was marked down by their firewall. I'll probably implement something in nagios or the like to catch this in the future if it's not possible to do it in pfSense directly without hacking files.
-
Ah, you should be able to do that easily enough. In fact it will do that by default. It does assume the system is able to send the alert though.
-
@stephenw10 Oh, maybe I misread the thread I thought it wasn't sending the alerts. I'll give it a try once I have my LAN smtp server setup.
