Need better outage detection than just ping

grandrivers · Jan 12, 2023, 10:10 PM

Need better outage detection than just ping one of my isps went down but ping worked fine .
Like IT saying "its always DNS" for the isp guess they should say "its always bgp" sure was in last outage

michmoor · Jan 12, 2023, 11:12 PM

@grandrivers so why not ping outside your ISPs network….like..,google or Facebook although that’s unadvisable but will fulfill your needs.
More advanced scnerio would be to spin up a cloud instance and install uptime kuma or Zabbix and monitor your network.
Why is this post under this category?

grandrivers · Jan 13, 2023, 12:14 AM

@michmoor ping was outside of their network and still worked just couldn't surf the web or use the internet , will uptime kuma or zabix mark wan down and fail traffic over ?

michmoor · Jan 13, 2023, 12:17 AM

@grandrivers you didn’t really describe the issue you experienced. You mentioned DNS then BGP. Then you ping something outside of your ISPs network but then state pfsense needs better monitoring. I honestly don’t know what the issue is here.

grandrivers · Jan 13, 2023, 12:31 AM

@michmoor ping is not a dependable method alone to drive failover mechanism as it can succeed and you still don't have a functioning connection . I was trying to find feature request from years ago to tag it and bump it

michmoor · Jan 13, 2023, 12:37 AM

@grandrivers feature request for what? What do you feel is a better method to check connectivity

grandrivers · Jan 13, 2023, 1:53 PM

@michmoor had an xincom502 that had multiple methods multiple ways to tell if connection was down they had , traffic flow, http, and multiple pings , pings were problematic for me a couple years after i switched from it to pfsense cause isp blocked ALL ICMP traffic "For our safety" and was that way for years so I had to manually bring that gateway down when it quit working

grandrivers · Jan 13, 2023, 1:53 PM

@grandrivers

other firewalls have more options
https://support.untangle.com/hc/en-us/articles/201787967-What-tests-should-I-use-for-WAN-Failover-

Gertjan · Jan 13, 2023, 4:44 PM

@grandrivers said in Need better outage detection than just ping:

https://support.untangle.com/hc/en-us/articles/201787967-What-tests-should-I-use-for-WAN-Failover-

Ping Test: NG Firewall will ping the specified IP address.
    ARP Test: NG Firewall will ARP for its gateway.
    DNS Test: NG Firewall will make a request to the upstream DNS server.
    HTTP Test: NG Firewall will make a connection to the specified domain name.

Yeah, why not !
What about a small shell script that does just that ?
Host a small file somewhere, or just get the www.google.com page.
Do a dig / drill for "www.google.com" to get the IP, dig will bypass your local DNS, forcing a complete DNS lookup.
Then 'curl' the page.
Compare it with what you've already stored.
If there is a fail, you know the DNS or complete TCP path to Google is gone wrong, which might indicate a problem on yur side, or your ISP.
Or even the POP to Google of your ISP.
( or a huge problem for Google itself )

But serious : a ICMP goes down the pipe and comes back, but TCP and/or UDP fails ?
I imagine that can happen. I never saw that myself, though.

michmoor · Jan 13, 2023, 4:59 PM

@gertjan said in Need better outage detection than just ping:

But serious : a ICMP goes down the pipe and comes back, but TCP and/or UDP fails ?
I imagine that can happen. I never saw that myself, though.

Thats what has me so confused about this topic. The OP complains that pings fail to an ISP but web pages load up. So there isnt a problem then?
Then there was mention of BGP being a problem? Then DNS? Really confused.

So the conclusion im reaching then is that ICMP isnt on its own a good indicator that there is an upstream issue. Fair enough but then you want to test to see if you can reach a site. i.e. google.com. If the site doesn't load you want to trigger a failover? That's non-sensical.

Im all up for multiple checks. But again, uptime-kuma for example can do http/https checks or dns checks but thats independent of the firewall. Its just not clear whats being asked and what the implementation purpose is going to be/used for.

grandrivers · Jan 13, 2023, 5:21 PM

@michmoor first posts pings worked fine !! but isp was down couldn't surf the web

last line was bad attempt at humor I keep forgetting that's not allowed here lol

slimypizza · Jan 13, 2023, 5:58 PM

My solution was to set up a cron job on my hobby domain maintained at a web hosting company. The script pings my home IP address every 5 mins. I only allow pings from that specific web host company by the way. If the ping fails then it sends a text and an email to myself saying the internet is down. The cron job keeps pinging every 5 mins and when the ping is successful again I get another message saying the internet at home has been restored.

grandrivers · Jan 13, 2023, 7:36 PM

@slimypizza this is on dual wan setup for failover would like to keep it automated.

and if pings worked i would have never got the alert in yor setup

stephenw10 · Jan 14, 2023, 1:58 AM

Open a feature request: https://redmine.pfsense.org/