Accessing DNS on WAN2

Abarai

Hello everyone,
I'm building my network in order to use two Internet connection:

WAN                        WAN2
192.168.0.1              192.168.1.1
                \          /
                  Pfsense 1.2
                /           
192.168.2.0              192.168.3.0
LAN                          LAN2

My requirement is that LAN only use WAN to connect to the Internet while LAN2 only connects to the Internet through WAN2.

I've set up every rules for both LAN and LAN2 and both users from LAN and LAN2 access the internet.

However i have trouble with the DNS on LAN2. I created a rule to allow every LAN2 outgoing packets through WAN2, however it doesn't work for the DNS. Users can ping Internet when using the host IP Adress, yet, it doesn't work with the hostname. It only works if I enable a rule from LAN2 to LAN2 for DNS.

This is strange. Does anyone know why it's behaving like that?

GruensFroeschli

Are you using the pfSense as DNSforwarder?
All services running on the pfSense use the primary WAN.

You can try to set the DNS server on the clients statically (or via DHCP) to 208.67.222.222 and 208.67.220.220.
These are the OpenDNS servers.

Abarai

I am indeed using DNSForwarder.
I specified my DNS in system>general setup using both WAN and WAN2 addresses. I thought that by doing this the DHCP server would try to use both addresses as DNS on LAN2, but apparently it's not the case. I specified WAN2 address as DNS and it seems to work now. Seems a bit strange to me.

Thanks for the tip anyway.

GruensFroeschli

Then how should LAN1 users resolve names when WAN2 is down?

IMO the "correct" way to do this is:
Set on the pfSense as primary and secondary DNS entry: 208.67.222.222 and 208.67.220.220
Like this all requests go to WAN1.
Then create a static route for 208.67.220.220 pointing to WAN2.
Like this all requests go to WAN1, and when WAN1 is down all requests go to WAN2.

If you want that users resolve names over different WANs depending on in which LAN they are you have to stop using the DNS-forwarder and set the DNS entries on the clients direct (DHCP or static).

Abarai

@GruensFroeschli:

Then how should LAN1 users resolve names when WAN2 is down?

If that happens, Internet will go down anyway. Therefore I just have to change the rules of the firewall to route the packets through the last gateway available and then try to resolve the problem.

@GruensFroeschli:

IMO the "correct" way to do this is:
Set on the pfSense as primary and secondary DNS entry: 208.67.222.222 and 208.67.220.220
Like this all requests go to WAN1.
Then create a static route for 208.67.220.220 pointing to WAN2.
Like this all requests go to WAN1, and when WAN1 is down all requests go to WAN2.

That's pretty much like the loadbalancing. I was interested in this method. But i'm not supposed to do something like that.

@GruensFroeschli:

If you want that users resolve names over different WANs depending on in which LAN they are you have to stop using the DNS-forwarder and set the DNS entries on the clients direct (DHCP or static).

The fact is, I've opened access for LAN to WAN2 Network (Just for the local network, and not to access the Internet) which is why i used both WAN and WAN2 modem's addresses as global DNS. LAN Users have the IP address of pfsense as DNS, whereas LAN2 users have a static address: the address of the WAN2 modem.
This seems to do the trick.