Monitor IP for multi-wan config in pfsense 2.0



  • Can I use the ISP DNS servers as the monitor IP for my gateway routes? I remember with the old pfsense version that when you use a specific IP of like www.yahoo.com, all traffic of that website will be seen as "monitor IP traffic" and the clients on the LAN side will have problems accessing that site.



  • Bump!



  • If the DNS server of your ISP answers to ICMP packets (ping) than you could use it.
    I am using googls DNS servers 8.8.8.8 and 8.8.4.4 as monitor IPs and no problems with clients.

    But it would make more sense if you use the gateway provided by your ISP as the monitor IP. This is the first router your modem sends its data to so if this is down than your connection is down.



  • Ok. So for example, making the resolved IP of www.google.com as the monitor IP is not bad for the LAN clients?



  • As far as I understand the problematic is only, that if you are using LoadBalancing known as Multi-WAN.

    So if WAN1 hast monitor IP 8.8.8.8
    and
    WAN2 has monitor IP 8.8.4.4

    Than als traffic from clients to 8.8.8.8 will go through WAN1 and will not be load balanced.

    But I am using Multi-WAN and I am using googles DNS server 8.8.8.8 als monitor IP and my clients do not have any connection problems.
    So you can choose any IP you want as long as this IP responses to ICMP packets.



  • Ok. Well I also use multi-wan, two modems with the same ISP. One is behind a NAT (router) to not conflict with the other one that is directly connected to the pfsense box. WAN1 (the one directly connected) has monitor IP = gateway IP and WAN2 has monitor IP of ISP primary DNS server. In this way, WAN1 will never receive packets from the ISP primart DNS server?



  • Bump!



  • http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing

    Selecting a Monitor IP address

    pfSense monitor's each WAN connection by pinging the monitor address you specify. If the ping fails, the link is marked down and the appropriate filover configuration is used (actually if the ping fails it retries a few times to be sure, this avoids false indications of the connection going down).

    Note that pfSense automatically sets up to route traffic to your monitor IP only down the link it is monitoring, so don't use a popular web site as this will force all its traffic down 1 link. Better to use a router or server in your ISP's network.

    Good addresses to use are the default gateway your modem has assigned (if it responds to ping!), your ISP's DNS server, webmail server, or a router within your ISP's network - you can find one of these by using traceroute to a public service, be careful though, larger ISPs will have networks that dynamically adapt so a router you see now may not be there an hour later!



  • Well, that is the manual for the older version of pfsense. That's exactly the one I was referring to. But does it apply to pfsense 2.0.1 as well?



  • I don't know is this is still present in 2.x but it just says that if an IP is the monitor IP of WAN1 all clients which want to reach the same IP as the monitor IP will always use WAN1.
    For this destination IP there will NOT be any LoadBalancing. Thats all.

    Perhaps I just do not understand what you want to know ;-)



  • @Nachtfalke:

    I don't know is this is still present in 2.x but it just says that if an IP is the monitor IP of WAN1 all clients which want to reach the same IP as the monitor IP will always use WAN1.
    For this destination IP there will NOT be any LoadBalancing. Thats all.

    That's not true as long as you're policy routing traffic from those hosts, which is what you're doing in the case of load balancing.



  • @cmb:

    @Nachtfalke:

    I don't know is this is still present in 2.x but it just says that if an IP is the monitor IP of WAN1 all clients which want to reach the same IP as the monitor IP will always use WAN1.
    For this destination IP there will NOT be any LoadBalancing. Thats all.

    That's not true as long as you're policy routing traffic from those hosts, which is what you're doing in the case of load balancing.

    Do you mean that it doesn't matter what monitor IP I use since all of them will be load balanced between my two modems anyway?



  • @kevindd992002:

    Do you mean that it doesn't matter what monitor IP I use since all of them will be load balanced between my two modems anyway?

    No, I'm talking about traffic that gets policy routed, which won't be the case for traffic initiated by the firewall (unless you're getting deep into floating rules, which does give you the flexibility to break your monitor IPs).



  • @cmb:

    @kevindd992002:

    Do you mean that it doesn't matter what monitor IP I use since all of them will be load balanced between my two modems anyway?

    No, I'm talking about traffic that gets policy routed, which won't be the case for traffic initiated by the firewall (unless you're getting deep into floating rules, which does give you the flexibility to break your monitor IPs).

    Ok. And a pinging a monitor IP is traffic initiated by the firewall? So any IP I use, it doesn't matter because it will come back still load balanced?


Locked