Multiple Gateway Monitor IPs?



  • Dear All,

    I am using a multi WAN setup for years. One of the WAN connection is CATV and it has a modem in front of pfsense. I am using an alternative monitor IP, as I do not want to determine if the modem is reachable, but rather, if I have internet through the modem. For years, I did use well-known Google or OpenDNS IPs as alternative monitor IP.

    However, this approach did fail recently. After some unpredictable amount of time (days more than hours), repeatedly pinging the same IP fails. Switching to an alternative makes everything look fine again, but the same game just starts over. This is indepenet of using Google, OpenDNS, the DNS resolver of the ISP and so on.

    This started at the point int time when the provider changed to gigabit internet and supplied the following DOCSIS 3.1 modem: https://en.avm.de/products/fritzbox/fritzbox-6591-cable/ No apparent settings in the modem are suitable prevent the problematic behaviour. My assumption is that some network device at the ISP prevents long-term pinging of the same IP.

    My alternatives were to monitor the gateway itself or to disable gateway monitoring action. Presently, I did chose the second approach. The reallistic problem scenario is loosing internet connectivity much more than the gateway modem itself going down. If I monitor an external IP but do nothing if it does go down, this at least gives me some quality indicators, such as RTT and RTTsd as long as it does connect at all.

    It would be great if one could enter two alternative moitor IPs and if the system would try the second if the first one failed - but not query both simultaneously, because then the problematic behaviour would probably also occur simultaneously. That would help everyone to shield against the problem of the chosen IP going down for any reason (including my problem scenario). Would this be a reallistic feature request? Are there other recommendations?

    Regards,

    Michael Schefczyk



  • There may be a problem with your setup(?), as it would be quite a problem, if the known (trusted) DNS servers did not respond to the ping and would the provider's CPE restrict you from using ping ???
    (this is just an idea why you can stop pinging from a known DNS server, for example, make sure the gateway IP, DNS severs, WAN IP, etc. are in your HOME_NET list / IPS/IDS)

    We have been using Cloudflare DNS servers (1.1.1.1 / 1.0.0.1) for many - many years for monitor IP purposes, we have never experienced the problem you outlined.
    Many ISP gateways really do not respond to ping, so a known DNS server is a good solution.
    Test the best DNS server for you, starting with:

    https://www.grc.com/dns/benchmark.htm

    Or use this and try to PING the selected DNS server from a desktop machine for a long time and analyze the values obtained:

    https://emcosoftware.com/ping-monitor

    I don't think the multiple - gateway monitor IP is the solution, it would only bring more measurement tasks and results to the system, this is irrelevant here.
    PS:
    We have had the experience that sometimes on a self-made (from internet) blocklist, 1.1.1.1 is added to the list of banned IPs, the list is periodicaly updated on the firewall and 1.1.1.1 no longer works.

    What did your own ISP answer this question? (FRITZ!Box vs. PING issue)


Log in to reply