Gateway Monitoring changes monitor IP on ISP failure

[CJ]

Gateway monitoring has been working well, but I discovered a problem with it's choice of monitoring IP.

When my connection is up, it monitors my ISP gateway and everything works correctly.

When my connection goes down, the gateway and monitoring IPs change to the IP of my cable modem, which causes the gateway to be marked as online as the cable modem responds to all pings.

When the connection comes back up, the gateway and monitoring IPs change back to the ISP gateway.

I currently have the ISP gateway manually entered into the monitor IP field but is there a way to list certain IPs or ranges as not valid for monitoring?  Or some other way to keep it from reverting to the cable modem?

Thanks.

[chemlud]

You should configure the monitoring IP under System -> Gateways -> Single (e.g. 1.1.1.1).

Is your WAN DHCP? Do you get a private IP on WAN when the connection to ISP fails? Under Interfaces -> WAN you can reject DHCP leases from the private IP of your modem.

[Shoresy]

Which IP are you using for each of your Gateway monitor IP's in System > Gateways > Single? You should be using different monitoring IP's for each gateway, something such as a public DNS server IP (8.8.8.8 for Google DNS).

[CJ]

Related to this, I just discovered that you can't set your monitoring IP to the gateway IP.  The form accepts it but going back to edit the gateway shows an empty monitoring IP field.

You should configure the monitoring IP under System -> Gateways -> Single (e.g. 1.1.1.1).

I didn't want to set a monitoring IP because my connection is via DHCP and I don't want to bind to a specific IP in case the gateway changes.

Is your WAN DHCP? Do you get a private IP on WAN when the connection to ISP fails? Under Interfaces -> WAN you can reject DHCP leases from the private IP of your modem.

Thanks.  I was pretty sure there was an option like that but I couldn't find it.  Now I just need to test that I can still get to the status page of the cable modem even if the lease is rejected.

Which IP are you using for each of your Gateway monitor IP's in System > Gateways > Single? You should be using different monitoring IP's for each gateway, something such as a public DNS server IP (8.8.8.8 for Google DNS).

I only have one gateway and that's what I was using to monitor.  Hence the problem with it changing to the cable modem IP and not recognizing that the gateway is down.

I don't want to use anything beyond the ISP gateway for monitoring because that introduces additional variables and my concern is primarily from me to my ISP.

[CJ]

It looks like there's an issue in the UI.  Based on the help text, man page and this thread, https://forum.opnsense.org/index.php?topic=25318.0 I should be able to put a CIDR notation into the rejection field.

However, whenever I attempt to use anything other than a single IP, I get the following error.

"A valid alias IP address must be specified to reject DHCP Leases from."

[CJ]

The good news is that OPNsense doesn't fail over to the modem anymore after adding it's IP to the exclude range.

The bad news is that when the connection goes done I lose access to my modems status and troubleshooting page.

Any suggestions for being able to access it while monitoring the proper ip?

[tong2x]

it is NOT advisable to use your ISP gateway as monitor, because there could be cases wherein you have "full" connection to your ISP but there backbone is down or there external access outside is down. in which case their gateway will respond to your pings.

you should set known "good" internet IP, usually public DNS IP address
8.8.8.8, 1.1.1.1 or 9.9.9.9 and their secondary IPS
these IPs will rarely go down, and will ensure that your ISP has "Internet" connection to ping them.

[CJ]

it is NOT advisable to use your ISP gateway as monitor, because there could be cases wherein you have "full" connection to your ISP but there backbone is down or there external access outside is down. in which case their gateway will respond to your pings.

you should set known "good" internet IP, usually public DNS IP address
8.8.8.8, 1.1.1.1 or 9.9.9.9 and their secondary IPS
these IPs will rarely go down, and will ensure that your ISP has "Internet" connection to ping them.

How many times has this happened to your ISP where their external links went down but your last mile connection was still up?  Because I can not recall a single instance of this happening to me.

As I already mentioned, I'm much more concerned about the status of my last mile connection which is why I don't want to use any ip that transits outside of my ISP.

[chemlud]

it is NOT advisable to use your ISP gateway as monitor, because there could be cases wherein you have "full" connection to your ISP but there backbone is down or there external access outside is down. in which case their gateway will respond to your pings.

you should set known "good" internet IP, usually public DNS IP address
8.8.8.8, 1.1.1.1 or 9.9.9.9 and their secondary IPS
these IPs will rarely go down, and will ensure that your ISP has "Internet" connection to ping them.

How many times has this happened to your ISP where their external links went down but your last mile connection was still up?  Because I can not recall a single instance of this happening to me.

As I already mentioned, I'm much more concerned about the status of my last mile connection which is why I don't want to use any ip that transits outside of my ISP.

That's not the meaning of gateway monitoring. Do you want to communicate with your ISP gateway or with the interwebs?

[CJ]

That's not the meaning of gateway monitoring. Do you want to communicate with your ISP gateway or with the interwebs?

Did you mean to reply to tong or me?

Having had my ISP replaced twice now due to damage causing intermittent connection issues, I'm very concerned about it.  Additionally, I can't talk to the interwebs if I can't talk to the ISP gateway.

[chemlud]

... I can't talk to the interwebs if I can't talk to the ISP gateway.

...that's why you monitor 1.1.1.1 or 9.9.9.9. End of story.

[CJ]

Thank you for that kind, insightful, and thoughtful reply that fully addresses all of the risks and concerns regarding my situation.  It will be helpful in making my decision.

[tong2x]

going back...

When my connection goes down, the gateway and monitoring IPs change to the IP of my cable modem, which causes the gateway to be marked as online as the cable modem responds to all pings.

maybe pictures of before and after
and the case where it change to a modem/local IP