Why different IPs required to monitor multi-WAN in pfSense?

2

I was wishing to set all monitoring IPs to Google, 8.8.8.8, but on second WAN it said, that this IP is already used for monitoring.

Why is this limitation exist?

This causes suspicion that monitoring is designed incorrectly, not sticking to monitored interface.

UPDATE

Suppose I set address 8.8.8.8 as monitor address for WAN1. Then suppose WAN1 is down. Does this mean I can't browse internet, since 8.8.8.8 is DNS server and it is assigned to down gateway?

Dims

Posted 2014-10-09T18:50:31.070

Reputation: 8 464

For monitoring, it sets up routes such that outbound connections to that IP are sent through a particular interface. It wants a different IP so those route can remain unique. – ssnobody – 2014-10-09T23:36:04.923

Isn't it unique due to different interfaces? – Dims – 2014-10-10T08:56:24.913

It isn't a unique IP. Think about what the routing table would look like. It would have two entries for the same IP, both having the same destination and differing only in their interface. How would it assign metrics to these? How would it ensure the monitoring for eth0 to 8.8.8.8 actually goes out eth0? How would it ensure the same for eth1? The routing table will say, when you receive a packet destined for 8.8.8.8 sent it somewhere via some interface, and that interface won't be BOTH interfaces. Use 4.2.2.2 or 8.8.4.4 – ssnobody – 2014-10-14T00:52:35.350

1I don't understand, sorry. If I set 8.8.8.8 to monitor one of gateways, will I be able to reach 8.8.8.8 at all when it is down? This is nameserver it should work even if one of interfaces if down – Dims – 2017-01-07T09:43:46.887

Answers

3

There are underlying dependencies in the monitoring daemon (not "not sticking to monitored interface", it does). It's safer that way in general regardless of software, you don't want one IP (even something anycasted) disappearing to disable > 1 WAN. It's more that it's a bad idea than technical limitations today, though 7-8 years ago when that restriction was first put in place, there were more technical limitations that made it required.

Chris Buechler

Posted 2014-10-09T18:50:31.070

Reputation: 169

2@AnonymousDownvoter: Congratulations. You just downvoted a perfectly fine answer to the question given by the pfSense project leader himself. There should be a badge for this. – F.D.Castel – 2015-01-28T07:28:59.237

1Thanks F.D.Castel. :) My only thought when I came back later and saw this was downvoted was "WTF?" – Chris Buechler – 2015-01-29T21:48:16.273

It's just my observation, but perhaps it was because your first sentence is quite difficult to understand and the answer in general could be worded more clearly. – Simon East – 2017-01-07T00:13:16.963

1I don't understand, sorry. If I set 8.8.8.8 to monitor one of gateways, will I be able to reach 8.8.8.8 at all when it is down? This is nameserver it should work even if one of interfaces if down. – Dims – 2017-01-07T09:43:16.130

Asked: 2014-10-09T18:50:31.070

Viewed: 2 371 times

Active: 2017-01-10T08:20:37.103