Having issues with DNS server settings with 2 ISPs (Failover issues)
-
So my pfSense device is configured with two ISPs. One ISP is on WAN and the other on OPT1. Of course there is one LAN port as well. First I configured the router with one static IP address because I hadn't yet acquired the static IP of the 2nd ISP. This is the one on WAN. Then I configured OPT1 with its own static IP and the gateway status says both green. I've also configured them for Failover.
BUT, when I decided to do a test and disconnect the ISP connected to WAN, I lose internet connectivity. This happens even though gateway status says one is down and the other is up. What I found interesting was that when I configured DNS, and I had two DNS IPs set towards WAN and two different DNS IPs set towards OPT1, is that somewhere in status all 4 DNS IPs are listed under WAN, and none under OPT1. I don't get why this happened, or is it another configuration issue? I really need this Failover to work.
Update - Screenies:-
http://img259.imageshack.us/img259/6097/pfsensedns1.jpg
http://img220.imageshack.us/img220/2262/pfsensedns2.jpg -
The problem here is that the default gateway in the pfSense routing table does not change when WAN connection goes down.
You can change this behaviour in System: Advanced: Miscellaneous: 'allow default gateway switching'.However that's not how failover is supposed to work because in that situation the gateway would not switch back when WAN came back up, not good.
To get failover working you need to create a failover group in System: Routing: Groups:
Set WAN as tier1 and OPT1 as tier2 if you want to failover from WAN to OPT1.Now you need to create or edit your firewall rules on LAN in order to point outgoing traffic to the failover group instead of the pfSense default gateway. Change the gateway in the advanced section on the firewall rule.
That should work.
Also see: http://doc.pfsense.org/index.php/Multi-WAN_2.0#Failover
Steve
-
I already configured the Failover as indicated in that link. I thought it was due to the DNS issue that I wasn't getting internet even though I disconnected my primary ISP.
The reason I need two sets of DNS servers is because one's Comcast cable and the other is T1 internet…two completely different services and hence they have their own DNS servers each.
I just don't understand why OPT1 doesn't come with its own "ISP DNS servers" like WAN does, even though I directed the last two DNS IPs to OPT1.
-
Ah Ok sorry I should read more carefully.
Yes you definitely need dns servers from both connections. That's a bit odd but my Status: Interfaces: page shows the same thing. Are you sure the OPT1 dns servers are working?
Try pinging them in Diagnostics: Ping: you can choose which interface to ping from. They may not respond to ping of course.Steve
-
I didn't ping them, but the T1 line has been there forever (since 2005). Otherwise I directly connected the T1 line to a computer and tested it and it works fine, with the same DNS servers. So I dunno why Failover isn't working. Gateway status shows it as online (green), but I feel like the DNS servers are not being sent to the computers.
Here's a thought: Is there any way I can configure the pfSense device in a way that the WAN port has its own set of internal DNS servers and I can somehow forward the other DNS servers via something like port forwarding? Then again, the port forwarding on pfSense has issues. I dunno what to do. Suggestions?
-
You know, I never considered this, but could it be that the Failover isn't working because I'm unplugging the ethernet from the pfSense device rather than disconnecting the coaxial cable from the modem? Or perhaps I need to call Comcast to temporarily stop the internet connection to see if works?
Also, what if I use OpenDNS's DNS servers as default? Is that really a secure solution?
-
Nothing wrong with "unplug" the Eth cable to "simulate" a "Wan fail"
Can you please post a screenshot of your FW LAN rules
Are you using the pfSense LAN IP address as the DNS Server of your "Test PC" ? is the DNS Forwarder enabled ?
I'm using pfSense with 2 WANs in "Failover" since long time without any problem
-
Ok, so I was able to work when I chose the "Member Down" option and then unplugging the ethernet wire. I just assumed that when I chose "Packet loss & High Latency" option that it would still work with the ethernet unplugged because technically an unplugged ethernet wire is 100% packet loss. Ah well, it's working now so that's solved.
BUT, the only thing that does not work with failover is, dun dun dun, the Server! It works fine with the Tier 1 internet, but fails with the Tier 2 internet. I dunno why. I went to Firewall: Rules and changed the default gateway to the Failover one. So any other ideas?
Update: Ha, solved that. All I had to do was add another NAT rule (DUHHH!) since it's on the OPT1 interface. Wow, happy day today. Just hope everything stays working fingers crossed…for a few seconds cause I need to eat ;D :D
So this can be marked as solved, yay!
