How to make DNS lookups go to only to Tier1 link in multi-WAN failover?
-
Hi!
I have a setup with several LANs and two WANs. The WANs are set up with failover were WAN1 is Tier1 and WAN2 is Tier2.
I don't want any traffic to go over WAN2 before WAN1 goes down.When I capture traffic on WAN2 I see DNS lookups going there even if WAN1 is up. How can I make sure that "internal" traffic (DNS lookups) doesn't go out via WAN2 when WAN1 is up?
Thanks in advance for any help!
-
The upstream DNS requests come from the DNS forwarder internally to pfSense, so they don't follow policy-routing rules that you would have on the LANs. But in a setup like yours, with just 2 WANs, you could enable System: Advanced: Miscellaneous - Allow default gateway switching. In General Setup, put the upstream DNS servers you want to use, but do not specify a gateway for them.
It should all failover to WAN2 when WAN1 is down.
Note: If you have 3 WANs, then there is currently no way to specify the priority order for default gateway switching. And if you have some unusual config where there is a gateway set on something that is really a LAN, then even more trouble if the system happens to switch the default gateway to the gateway on LAN.
For 2-WAN configs, default gateway switching is predictable and should work. -
Thanks, phil.davis.
I already have the "Allow default gateway switching" enabled, but must try this with no gateway for the DNS-servers.
I see now that this issue is mentioned in chapter 12 of the pfSense book:
"In pfSense 2.0 and higher, it is now possible to direct traffic from the firewall itself into gateway groups using floating rules, allowing local services to take advantage of failover."
Is this a better alternative? To direct DNS-requests into the gateway group with a floating rule? What then about direction, choice of interface and the "Quick" setting?
-
I have now tried this with no gateway for the DNS-servers. pfSense still send DNS-requests out on the Tier2 WAN even if Tier1 is active/available.
Maybe this is an alternative that works:
"In pfSense 2.0 and higher, it is now possible to direct traffic from the firewall itself into gateway groups using floating rules, allowing local services to take advantage of failover."
?
What then about direction for the traffic in the rule, choice of interface and the "Quick" setting?
-
Indeed it sounds good, but I would be guessing about the settings, and the book does not actually have an example of such a rule (that would be a good addition to the book!). I have a feeling this is on the forum somewhere, but can't see it right now. Do a bit of searching and post back when you find the right answer ;)
-
Does anyone have a good guide on how to configure a Floating Rule in 2.2.x such that specific traffic FROM the firewall ITSELF (e.g. a DNS lookup or an outbound SMTP connection on port 25 for an email alert) can be directed to use a Gateway Group? I have struggled playing with different settings but no matter what I do it isn't working, traffic is either blocked or gets routed via the default gateway. Testing on 2.2.5.
-
I still can't get this to work. I am tearing out my last hair. Floating rule just seems to be ignored.
Here's a netstat -rn after yanking the WAN1 plug…
I note there is no default ipv4 gateway.
But I do have a floating rule defined for "This firewall (self)" --> tcp/udp port 53 (dns) and tcp port 2525 (smtp server) ... yet that does not function.Screenshots attached as well
Routing tables Internet: Destination Gateway Flags Netif Expire 4.2.2.2 74.66.0.1 UGHS igb2 24.29.99.36 74.66.0.1 UGHS igb2 74.66.0.0/21 link#3 U igb2 74.66.2.133 link#3 UHS lo0 127.0.0.1 link#7 UH lo0 192.168.20.0/24 link#1 U igb0 192.168.20.1 link#1 UHS lo0 Internet6: Destination Gateway Flags Netif Expire default fe80::217:10ff:fe88:498d%igb2 UGS igb2 ::1 link#7 UH lo0 2604:2000:400:4::/64 link#3 U igb2 2604:2000:c00:4::/64 link#3 U igb2 2604:2000:1404:b0::/64 link#1 U igb0 2604:2000:1404:b0:208:a2ff:fe09:9bd1 link#1 UHS lo0 2604:2000:ffc0:4::/64 link#3 U igb2 2604:2000:ffc0:4:1005:cbc0:8afb:fba0 link#3 UHS lo0 fe80::%igb0/64 link#1 U igb0 fe80::1:1%igb0 link#1 UHS lo0 fe80::%igb1/64 link#2 U igb1 fe80::211:22ff:fe33:4455%igb1 link#2 UHS lo0 fe80::%igb2/64 link#3 U igb2 fe80::208:a2ff:fe09:9bd3%igb2 link#3 UHS lo0 fe80::%lo0/64 link#7 U lo0 fe80::1%lo0 link#7 UHS lo0 ff01::%igb0/32 2604:2000:1404:b0:208:a2ff:fe09:9bd1 U igb0 ff01::%igb1/32 fe80::211:22ff:fe33:4455%igb1 U igb1 ff01::%igb2/32 fe80::208:a2ff:fe09:9bd3%igb2 U igb2 ff01::%lo0/32 ::1 U lo0 ff02::%igb0/32 2604:2000:1404:b0:208:a2ff:fe09:9bd1 U igb0 ff02::%igb1/32 fe80::211:22ff:fe33:4455%igb1 U igb1 ff02::%igb2/32 fe80::208:a2ff:fe09:9bd3%igb2 U igb2 ff02::%lo0/32 ::1 U lo0
floating rule (couldn't fit the whole thing on my screen, but the "HA_route" gateway is selected for this under advanced)
alias for port 53/2525
system-general
gateway group
-
According to JimP (redmine #5476) getting this to work involves some fiddling with Outbound NAT. That isn't one of my strong areas. Has anyone got a working config they would be willing to share (with screenshots) of a Floating rules config that routes specific traffic originating from the Firewall (self) via a Gateway Group?
-
In Jim Pingle's last pfSense Hangout on Multi-WAN with 2.3, I am pretty sure he just outright states that it is not possible to use policy-based routing for traffic originating from the firewall itself. So I am posting a followup question/idea :
Would it work to install & bind the Postfix package to the "LAN" IP, and then enter this IP as the SMTP server under System > Advanced? Would the mail alerts then be subjected to NAT and thus be able to make use of Policy routes? Maybe I will try…
edit: nevermind. I see at https://redmine.pfsense.org/issues/5374 that this package is basically dead in the water as of 2.3 :(
-
This thread is really OLD… But if your using a forwarder, why would you not just create normal routes to use a specific interface first. Why would you want/need to do this in a firewall rule?
With forwarder or smtp I would think you are using a specific or list of specific IPs. If you create specific route for the IP you want to go to that sends it out wan1 why would it not use that, if wan1 was down wouldn't it just use whatever default route it has to try and get there because now the interface the specific route is on is down.
-
The problem I'm trying to solve is
- allow firewall to send out smtp alerts when either wan1 or wan2 goes down
- firewall has multiple "local" gateways that are not internet-facing, so I can't use the "enable default gateway switching" option
-
I have a setup with several LANs and two WANs. The WANs are set up with failover were WAN1 is Tier1 and WAN2 is Tier2.
I don't want any traffic to go over WAN2 before WAN1 goes down.This looks similar to what I've described at https://forum.pfsense.org/index.php?topic=126017
Did you find a solution for DNS using active tier only?If not, would you be able to test if this works for you?
https://github.com/pfsense/pfsense/pull/3592