No email alert/notification on gateway down
-
Email is self hosted, so internet not required for email functionality.
I have several gateways defined in addition to wan_dhcp - these additional ones are all wireguard gateways, set up for monitoring. Two of the 3 notify via email when the monitor ip is unreachable, but the third does not. It just registers in the system log.
Apr 26 12:22:26 rc.gateway_alarm 89879 >>> Gateway alarm: somenameGW (Addr:10.7.1.2 Alarm:1 RTT:10.965ms RTTsd:.664ms Loss:25%)Config wise they're all set up the same under routing - of course gateway ip and monitor ip differ.
Even interfaces are configured similarly with just the numbers and names differing. I tried deleting and re-adding this gw but not change.
How to proceed?
-
@GPz1100 that isn't actually down.. it has some packet loss.. Do the other ones email you when they have packet loss, or when they are actually down?
I monitor if my pfsense is down externally - since I only have 1 connection, wouldn't be possible to get an email from the system anyway if its internet was down.
-
@johnpoz It is actually down, packet loss at at 100%.
Here's a snippet from the email of when WAN is down.
15:49:23 MONITOR: WAN_DHCP has packet loss, omitting from routing group DNS_gateway_group wan.default.gateway .ip|wan.public.ip|WAN_DHCP|0.731ms|0.076ms|33%|down|highlossI do notice something odd when pinging
10.7.1.2from the pf console.ping 10.7.1.2 PING 10.7.1.2 (10.7.1.2): 56 data bytes ping: sendto: No route to host 92 bytes from 127.0.0.1: Destination Host Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 434e 0 0000 40 01 214b 10.7.1.1 10.7.1.2Wireguard interface ip on pf is 10.7.1.1. Remote peer is 10.7.1.2. Makes sense to ping that. How else to know if remote end is down?
The above ping replies suggest some kind of circular pathway, so perhaps that's not causing the right exit code to trigger an email notification? Remote end only has outbound access so I can't ping its public ip addr.
-
It implies that there is local subnet the interface is in and that the system doesn't have a default route that would otherwise be used. Is that the case?
-
@stephenw10 You may be on to something. Is there a different way of setting up wireguard so that the gateway is NOT the interface ip addr?
Or should the gateway be a peer?
-
I mean I expect it to be using the gateway IP unless you set it to something else. Using the local interface IP makes no sense to monitor.
-
@stephenw10 I think my strategy is wrong.
There's 2 peers - pf and remote target. I want pfsense to notify me if it can't ping remote peer.
-
Yes. By default the gateway monitoring pings the gateway which here is the remote peer. For some reason your screenshot shows the monitoring set to the local peer IP not the gateway. Normally that would only be because it's been configured as that by the user.
-
@stephenw10 That begs the question then do I even need a gateway ip defined in this use case?
It seems even without the gateway defined for the wg interface, im still able to access the remote peer from local lan and other vlans (that have proper firewall permissions). In addition, I can access pfsense lan side resources from the remote peer with proper firewall rules.
-
You only need a gateway of you want to route traffic via it. If this is a remote-access type setup where the connecting peers are all client devices then no you don't need a gateway defined in pfSense.
-
@stephenw10 Consider traffic from lan (say 192.168.1.0/24), to get to 10.7.1.0/24, that has to go through some gateway no? Same for traffic originating at 10.7.1.0/24. Or pfsense sets these routes up internally?
-
If it's a locally connected subnet then it will just be forwarded directly.
-
@stephenw10 Thank you for the clarification.
Question still stands then, is it possible to monitor that remote peer without using a custom script?
-
Yes, you can set it as a gateway. You don't have to route anything to it if there's no subnet behind that peer to route to,.
