Today I experienced a new situation with failover. The ISP (Verizon FiOS in this case) apparently shut down my customers’ WAN connection due to a payment issue. Instead of completely blocking all connections however, it appears they were still allowing outbound ICMP—and so mwan3 never triggered a failover, and all internet access was lost—even though there was a working LTE connection ready to go.
It seems that mwan3 can be configured to use wget instead of ping to test connectivity, however I couldn’t find any documentation for how this should be configured. I did my best to guess (see screenshot below). It appears to work, but I would like to know for sure, and have some confirmation that this is correct. Also, any best practices for interval, whether to use HTTP vs. HTTPS etc.?
Wget will attempt to retrieve a webpage and will fail if HTTP(S) connections are being blocked. It can be a more reliable method because it ensures the full HTTP(S) stack is functioning, not just the lower-level network connectivity as with ICMP pings.
HTTP, while not encrypted, is generally sufficient for connectivity checks. HTTPS, although more secure because of the TLS protocol, requires more CPU power for encryption and decryption of data.
Wget generates more traffic than a simple ping, and HTTPS slightly more than HTTP due to the initial handshake that establishes the secure connection. But of course, the configuration will depend on what server you want to use for testing.
Regarding the interval and other options, that will mainly depend on your specific needs. More frequent checks will allow you to detect a connection failure more quickly, reducing potential downtime, but it will also add to the load.
So I think 30-60 seconds is more reasonable for wget checks, correct? Hitting a webserver every second or even every 3 seconds seems like it could be seen as abuse and could result in the site banning us altogether.
Also, I am wondering about what you said here:
any HTTP response, even error codes, will be seen as a working connection
Since the ISP might not completely block the connection but rather might try to MITM the connection to display a payment page, etc, are you saying that even if the HTTPS handshake fails (broken certificate chain) the result will be interpreted by mwan3 as a “working connection” ? If that is the case, I am not sure this is any better than the simple ping test.
No, you are right. Sorry, I mixed up the services. In mwan3, if wget receives a failing error code like 404 or something like that, the link should be considered as down.
Regarding intervals. Yes, it is better to increase the interval when wget is used to not spam the webserver with GET requests. Though, depends on the server.
