Apinger - possible to monitor/graph extra targets?
-
I used to accept the default setting for Gateway monitor IP (blank) but found that with a lot of equipment this was not a reliable indicator of whether a gw was really down since often the next hop will stay up even if there is a loss of internet connectivity.
So I started using anycast IPs (8.8.8.8, 4.2.2.2 etc) as monitors which works pretty well (still wish there was a way to monitor a group of 3-5 IPs to get a real confirmation that there is an outage)
Now we are having a packet loss issue with one of our ISPs. They are saying that it's not a problem on their end and that the likely cause is that 8.8.8.8 is suffering a DDoS attack etc and that is what is causing the lost packets. Fair enough, although I doubt what they are saying I want to humor them. They have asked that we instead switch back to monitoring the default gateway. The thing is I want to still collect the statistics for 8.8.8.8 while at the same time pinging the local GW.
TL;DR - Is there any way to add "extra" monitor IPs for a gateway so that apinger will generate graphs/stats for them?
-
You can add a bogus GW. Other than that, there's some feature request on Redmine.
-
Can you show a screenshot of how you would set up the bogus GW? When I tried to set one up e.g. 1.2.3.4, I get an error "The gateway address 1.2.3.4 does not lie within one of the chosen interface's subnets."
-
Set up the monitor IP whereever you want. The GW needs to be reasonable for your local box setup, but does not matter.
-
Problem is if the WAN is a /30 there is no way to assign an additional valid IP (both are already used and it will not allow duplicate GWs) so - ?
-
It can be a GW on LAN subnet. It really does NOT matter.
-
Ah ok good to know - thank you I figured if the interface was set to LAN that that would somehow break the monitoring but I guess not. Trying that out now tyvm
-
Hmm this did not work for me- have you actually done it? Maybe a screenshot would help. I've got a multi-wan setup here and when I add a dummy GW with a LAN IP (I just picked the last IP in our subnet, 172.16.103.254/22 and set the monitor IP to the upstream gateway of our WAN circuit, the result is just lots of RED packet loss in RRD and Diags > Ping says I can no longer ping the default GW (I rolled it back after a few minutes when people started complaining)
-
This obviously should NOT be set as default GW. Yeah, I have tried that, no problem. In fact, configuring GWs on LAN is required for certain purposes, like using services over IPsec tunnel.
-
Right yes of course I did not make this the default gw. I have done that too for doing DNS-over-IPSEC but those instructions also involve adding static routes and disabling the gateway monitoring for the dummy GW. So not really the same thing …
-
Worth mentioning that you don't need the LAN GW hack for DNS anymore. You can specify a source IP in the DNS forwarder settings.
-
Yes that is definitely true & good to know. This is how I am doing it now for the AD remote sites without their own DCs that are connected via IPSEC. Works great…
Back to the original question though- is there any way that anyone knows of to get apinger to generate graphs for extra hosts? The suggestion above by doktor (at least for me) didn't work. I even tried adding a VLAN and assigning a bogus IP to is (1.2.3.4) and then setting a monitor IP on that, but it results in 100% packet loss and the gateway just gets marked down right away. So not sure if or how doktornotor was able to make that work.
-
I just saw this feature request and also noticed in the comments that Jim wrote we're probably going to re-write apinger for 2.3. I realize that is a daunting task but I do hope somehow they manage to achieve it!
-
Back to the original question though- is there any way that anyone knows of to get apinger to generate graphs for extra hosts? The suggestion above by doktor (at least for me) didn't work. I even tried adding a VLAN and assigning a bogus IP to is (1.2.3.4) and then setting a monitor IP on that, but it results in 100% packet loss and the gateway just gets marked down right away. So not sure if or how doktornotor was able to make that work.
I just tried that. My LAN IP is 10.49.208.250, I made a gateway to 10.49.208.251 with a monitor IP like 8.8.8.8 (different from any monitor IP I already use). I does not work, because the code underneath adds a specific route for 8.8.8.8 to 10.49.208.251
Of course, the routing layer tries to deliver the pings for 8.8.8.8 through to 10.49.208.251 - since that IP does not exist, the packet cannot be delivered and the ping fails.Edit add: traceroute from pfSense command line to the monitor IP gives "sendto: No route to host" - I guess that means the next hop is not reachable.
I tried making the gateway IP be the pfSense LAN IP itself - I thought that might at least send the ping packet around in a spin 255 times. But traceroute now gives:
sendto: Host is downI tried making a rule that sends traffic arriving on LAN with "destination = monitor IP" to WAN gateway, hoping the monitor packet from pfSense would arrive to LAN IP and then be policy routed by the rule out WAN. Still no joy.
I also wonder what is the trick to set up a dummy gateway with monitor IP solely for the purpose of collecting the RRD graph data?
-
Interesting topic.
I would expect the monitor ping to always be sent via the interface the gateway is on. Anything else would render an external monitor IP useless. 8.8.8.8 is probably reachable via any WAN interface for example.However I don't expect to be able to reach 8.8.8.8 via a LAN interface yet via Diagnostics > Ping I can. Has that changed I'm sure it wasn't possible last time I checked? :-\
I guess the ping utility in Diagnostics uses the -S option which only changes the source address and not the interface/route. Apinger sets a route to ensure the monitor pings leave the correct interface as Phil says above.
So what's the secret to this hack then? Anyone actually got it working in 2.2?
Steve
-
I believe this could be done without any actual code modification by editing gwlb.inc But I am not smart enough to do it properly. Specifically, if there were a way to store a text file somewhere with a few simple key/value pairs [monitor ip, interface to bind to] and then read through them during the return_gateways_array() function and append them to the $gateways_arr it should work. Maybe someone who has hacked around this a bit more could offer a solution?
-
Or alternatively, I was thinking of posting a bounty for this… what do you all think would be a reasonable amount for adding something like this? I was thinking $500-1000 USD?
