Incessant Pinging



  • Configuration:
    WAN enabled and/or not enabled.
    LAN Static IP: 192.168.1.2
    LAN Gateway IP: 192.168.1.1

    Soon as pfSense boots up it starts incessantly pinging the LAN gateway.

    2.0-RC3 (i386)
    built on Tue Aug 30 18:46:28 EDT 2011



  • This is by design, its used for graphing the network latency on your WAN interface.



  • It's overkill.  Anyway to turn it of or at least slow it down?


  • Rebel Alliance

    System: Gateways: Edit gateway

    "Disable Gateway Monitoring"

    or "Advanced" and change "Frequency Probe"



  • I see not this System : Gateways you mention.  There is a Stats : Gateways, but no means of editing it.

    Found it.  Under System - Routing



  • Glad somebody else thinks it is overkill, the options you seek can be found under the following menu structure :-

    System->Routing

    You will see your gateway there, select the 'e' next to the 'gateway' to be edited and one of the options in the resulting page is 'disable gateway monitoring', whether this works is a debatable point since the application that carries out the ping remains in memory and is loaded when the firewall restarts so if it is running then it will be pinging by default I think, if it isn't why even load it. When you set the gateway monitoring off you will see some status messages in the logs that apinger has exited but if you execute ps -ax | grep 'apinger' at a command prompt with the gateway monitoring disabled you can find apingers processID, it is still there!!, if you keep executing the above command you will see the processID constantly changing - like Apinger doesn't like being told to go away and keeps getting re-started.

    I detest apinger, the first thing I do is disable and delete it because it doesn't pay attention to the setting changes anyhow (at least it didn't), my ISP threatened to do nasty things if I didn't stop the 1 second pings. I was told over a year ago that apinger was going to be dropped in favour of a different application but this hasn't happened, I was also told that the option to turn it off would become available, it still isn't from what I see. It wouldn't be near so bad if Apinger responded to the settings for 'frequency probe', based on my tests it takes no notice whatsoever and continues it's once a second ping. A 1 second ping in itself is an eternity for a network and switch / firewall management internally but for ISP's who may have 100,000+ users it becomes a major issue if they all start once a second pings …. apingers behaviour is inappropriate for a domestic user with a single WAN connection and nothing will change my opinion on that score.

    Despite working from home I too have only one WAN connection so having something 'detecting' the gateway is pointless, if it fails it fails, there is no backup so there is no need for something to say my 'gateway' has failed.

    I don't need or care for the graphing, I believe that this should be a bolt on that can be added if needed, it should not be the norm, alas there are those here who have the time to look at pretty but rather unimportant graphs.

    If you have problems with users there are better tools to see or restrict what bandwidth is used by them.

    If you want to stop the constant pinging then killing Apinger is the only guaranteed way that I have found to date ...



  • @BenKenobe:

    You will see your gateway there, select the 'e' next to the 'gateway' to be edited and one of the options in the resulting page is 'disable gateway monitoring', whether this works is a debatable point since the application that carries out the ping remains in memory and is loaded when the firewall restarts so if it is running then it will be pinging by default I think, if it isn't why even load it.

    Disabling gateway monitoring seems to work for me.  ???

    Diagnostics > Packet Capture … select the correct interface; and enter in that interface's gateway IP; click Start. That'll quickly show you (after hitting Stop) whether you're still pinging the gateway or not (ICMP echo request/reply).



  • I have to laugh at an ISP threats that i am pining to much their router :) whatever the reason behind.

    Though users sometimes have no choice.
    IMO so far the option of disabling the monitoring or changing the frequency work as intended.



  • @ermal:

    IMO so far the option of disabling the monitoring or changing the frequency work as intended.

    Set the frequency to 10.  Wait awhile, then go have a look at the RRD Quality graph of that interface.

    Now, one might say that is not the "gateway monitoring".  But that would be splitting it pretty thin.



  • I just trust a packet capture saying that the icmp probe is being sent faster than every 10seconds.

    I am not stating that apinger is honoring it. Just that during my testing it worked as intended.



  • I have to laugh at an ISP threats that i am pining to much their router

    Because you clearly have never managed a large enterprise ….  you wouldn't be laughing in my enterprise ... and yes some users do need to take heed of ISP warnings, actually it is pretty selfish to treat an ISP router in such a way with zero regard for everyone else who also must use it, like it or not pings are not zero bandwidth and do impact on a network - would you like me to come to your place and do a ping flood DOS to prove the point.

    Regardless of what works for you it is a legitimate requirement to be able to stop or manage any and ALL network traffic however generated, based on what I have seen apinger does not honour settings or being disabled.

    I am currently doing a clean install, I will approach with an open mind, do some tests and see if the bad behaviour still exists.



  • I would not comment on this more than the user education is not always the answer.
    Since the user is uneducated about his equipment you cannot make him liable for your capacity issues.

    Though that is even a discussion of business model and budgeting but to me complaining to the user is the last resort and that is only justifiable by unusal behaviour.  
    To me an icmp packet is legitimate traffic and if you do not want your router to be visible you can provision for this by not allowing such traffic at all.
    If you feel this is not the right traffic charge the user for this and clearly state this in your policy.

    But please, don't bullshit the user about what is allowed or not when he clearly is not the knowledgeable on this and these policies are clearly an abuse over your service policy.

    Because you clearly have never managed a large enterprise ….  you wouldn't be laughing in my enterprise ..

    Believe me or not i will laugh at this.
    An enterprise is not an ISP and the policies on an enterprise are 'easily' enforceable in contradiction to an ISP, by whatever the policy and enforcement method.

    That is my personal stance and do not expect that would converge with any other.


  • LAYER 8 Global Moderator

    Sure looks like the changes in ping time work to me..

    Set it to 10 seconds, and that sure looks like what its doing to me.  As suggested do a simple capture.

    If my ISP complained about the pings, I would suggest they look at the excessive arping that is going on and then I will turn down my pings.  In the bit over a minute trace I did sure there are 36 packets of icmp, but there are 2933 arps..  Seems a bit excessive to me ;)




  • I appreciate this thread.  While I understand the value of gathering statistics of "link quality", being able to disable this feature is more useful than any debate on its worth.  I disabled it and there is no sign of "apinger" running.

    "pftop" also confirms the pings have stopped.



  • Sorry for my ignorance, but where do I set the value for "Frequency Probes" in System -> Advanced settings? I am on 2.0 RC3 21st June.


  • Netgate Administrator

    I believe it's supposed to be in: System > Routing > Gateways > Edit gateway

    However it doesn't appear in the Jun 21st RC3 build for me.

    Steve



  • I will lock this thread now because it is going off-topic.

    You need the latest snapshot to have the options described in this thread.


Log in to reply