"Hack" for Multiple IPs for Gateway Monitoring
-
I've seen the feature "multiple IPs for gateway monitoring / monitor groups" has been requested every now and then but until version 2.2.2 it appears to not have been implemented.
Using one IP per gateway is highly problematic because even Google's 8.8.8.8 isn't 100% reliable.Hence, I fixed myself a quick and dirty solution, but would like to get some feedback / suggestions.
Essentially, I have 2 gateways, one on interface "re0" and one on "pppoe1". I then create virtual IPs on the loopback interface lo0 which I set to be monitor IPs for gateway monitoring. Now obviously, you will always be able to ping these IPs. I then run a custom script which pings a few hosts and will take the monitor IPs down or back up, depending on whether or not the pings went through, causing the gateway monitoring to consider the corresponding gateway down (because it can't reach its monitor IP). I know this isn't really super sophisticated… but it works for me. Additionally, all traffic to the IPs you want to use as monitors will not be forced through the gateway you specified them for, which can cause some trouble (f.e. I had 8.8.8.8 as DNS and also put it as a monitor IP on one of the gateways - worked fine until that gateway went down, then no more DNS resolving).
Unfortunately the only time it doesn't work is for the OpenVPN (Client, TAP) connection I have - no idea why. Checked firewall rules ... everything - no clue whats happening, so I've left that alone.
Anyway, for my little setup the whole thing looks like this:
a) Using the GUI, create virtual IPs on your lo0 interface, one for each gateway you want to monitor, like so:
127.255.0.1 / 32 127.255.0.2 / 32
b) Create script with content from http://pastie.org/private/3iuey52fi7tyrsdywhb5wq, save as /root/monitor.sh (or anywhere else for that matter) and make it executable.
c) Create a cron job that runs the monitor script periodically; I run it every 3 minutes:
*/3 * * * * root /root/monitor.sh re0 1; /root/monitor.sh pppoe1 2
The parameters of said script are:
$1 = name of interface (as listed with ifconfig) the gateway is on which you want to check
$2 = last block of digits for the monitor IP; for example: 2 meaning 127.255.0.2
The script will then take the interface IP (using grep + cut …etc.) and put it as source IP for the pings that will be send.
There are a number of settings which can be adjusted, like the list of hosts, number of hosts that can fail the ping test before the monitor is being taken down, etc.
In my scenario, I have a list of 5 hosts. A maximum of 3 can fail before the monitor is being taken down.What I really would like to do is to somehow have my script "mark the gateway as down" (like you do in the GUI), instead of taking down a monitor IP, then disable gateway monitoring altogether.
-
I would like to see a "proper" solution. Single IP monitoring is causing us no end of issues. Gateways being marked as down, but really the monitor IP has dissapeared, or ICMP is blocked but real world taffic tcp/udp is flowing perfectly.
My concept would include many IP's and have some weighted rules. Something like www.policyd-weight.org comes to mind.
This would allow a list of say 20 IP's to monitor and allow for x number to be down and some marked as higher "number value" than others, then only mark the gateway as down if the sum of these values is below y. Could even use the same IPs for many gateways and if one ip down on one gateway the IP can be checked against another gateway.I have no development skills, but would be willing to test and give feedback.
–Paul