Multiple WAN DNS issue when primary fails
-
redmine.pfsense.org and report it there….
-
I don't know if this can help to "KyferEz" with his problem, but i have configured my pfSense this way, and don't have noticed DNS issues
-
@ptt Would you mind taking a screen shot of two additional pages to help confirm what I'm seeing? Diagnostics -> Routes (IPv4 table) and Status -> Interfaces. I'm curious how your four DNS servers get assigned.
-
Here the Routes SS ( DNS marked in red )
In Status -> Interfaces, all DNS servers are listed in WAN1, WAN2 doesn't show any DNS ( the "ISP DNS servers" dont even appear in WAN2 )
-
Hello,
I see the @ptt routing table, I think the dns are correct, just in my routing table.
I noticed in my pfsense machine, that the default route in Diagnostics -> Routes (IPv4 table) remains the same whatever WAN is online(I unplugged every WAN to test), maybe a problem in Gateway Groups, look in my gateway groups, I think is correct.
Also for my 2 gateways I don't check "default route" for these.
Regards
-
I didn't read this entire thread word for word but, I have seen similar issues. It seems (am I correct??) that pfSense assigns static routes to specific DNS servers if a specific gateway is selected on the General setup page. I assume this is so 'apinger' can detect if a GW is really down when pings to that monitor IP start failing instead of sending them over the other connection?? not sure. but add me to the "me too" list of people who would like to know the "correct" way to assign these values.
-
I didn't read this entire thread word for word but, I have seen similar issues. It seems (am I correct??) that pfSense assigns static routes to specific DNS servers if a specific gateway is selected on the General setup page. I assume this is so 'apinger' can detect if a GW is really down when pings to that monitor IP start failing instead of sending them over the other connection?? not sure. but add me to the "me too" list of people who would like to know the "correct" way to assign these values.
You must have at least one DNS server pointing to each WAN if you're using the DNS forwarder as your clients' DNS server. The WAN you pick sets a static route so the firewall goes out that WAN to reach that DNS server. You cannot use a single DNS server IP on more than one WAN (though I'm not sure offhand if there's input validation to prevent that, it won't work). There are exceptions to that if you get into policy routing traffic initiated by the firewall but that's more complex than what most people will get into.
If you're not using the DNS forwarder, your internal DNS servers must be going out of a failover or load balancing gateway group so you still have DNS when one fails.
Also like @KyferEz noted, although the routing shows each DNS IP associated with the appropriate gateway (Diag->Routes), the interface status (Status->Interfaces) shows all DNS IPs with the first WAN connection, which I believe might be a bug.
That's just how it's displayed, all the system's DNS servers show there.
-
@cmb
Thanks so much for that clarification. It makes sense now. -
FINALLY FOUND THE SOLUTION TO MY PROBLEM TODAY!!!
In every guide and instruction sheet I have read for configuring multiwan, not once was there instructions that included this necessary and very important step in a way that a beginner could easily understand: Edit the default LAN rule in Firewall->Rules by clicking edit on the rule that has a row that contains "LAN net". Then change Gateway setting drop-down to whatever you named the gateway you created with the Wan1 fallover to Wan2.
Here is a link to a simple and basic working guide for multiwan setup on pfSense 2.0. The top of the guide is for 1.2, but scroll about half-way down to see the 2.0 guide: http://skear.hubpages.com/hub/Dual-Wan-Router-How-To-Build-One-On-a-Budget. Combine that info with the other guides out there for setting up traffic shaping and it works great!
Thanks!
-
The instructions for 2.0 here:
http://doc.pfsense.org/index.php/Multi-WAN_2.0Mention using the rules twice – once in the summary of required steps, and again later under "Firewall Rules"
It even mentions editing your existing rule and changing the gateway.
Not sure what doc you were reading that skipped it.
-
You misread my statement. I said it's not there in a way a beginner with pfSense can understand what to do. I did not understand what exactly was meant by those instructions (and had thus gotten it wrong) until I read the guide I linked to where the writer detailed Exactly How to create the Firewall Rules…
That step is just confusing in the 2.0 docs. (edit: likely because I'm not engrossed in large corporate network configuration daily ;) I tend to work with smaller companies with 3-10 employees, but this one had outgrown a single dsl line)
