Failover not working
-
Hello,
I have a strange situation in one pfsense. There are 3 WANs, 2 with equal weights (VDSL) and one ADSL, weight 3. I have created load balance and failover groups, with "member down". Today both VDSL lines failed (ISP roadworks).
The remaining WAN did not work for the LAN clients (no internet). I have tried also to route the aliases groups that using the groups directly from that WAN, nothing.
I have cleared the states, same. I did not reboot the firewall though. I am not on premises, will go tomorrow morning.
Best regards
K
-
Need to know what was actually failing. DNS resolution? Actual packet connectivity? Something else?
-
Thank you,
Don't know where it failed, they try several times and they remove pfsense and put their old load balancer, which worked immediately… I will go tomorrow and try to figure out. They say only one machine (that was in the LAN out group) was able to access internet, all others could not.
Best regards
K
-
So, i visited today, and the issue seemed that was DNS (having pfsense as DNS no dig, putting 8.8.8.8 all OK).
I was using DNS Resolver in that box, I turn it of and open DNS forwarder.
But, here is my question:
The one gateway that wasnt working, was the one called default. When I changed the default gateway to be one of the working ones, the clients start to work immediately. I had gateway switching off, since I am using groups (and let it off).
How does default gateway set to a gateway that was confirmed as down, put all clients not available to access internet?
I turned on DNS forwarder due to resolver throwing errors (see attached).
Best regards
K
-
The forwarder is much more friendly to multi-wan.
In reality, the best thing for Multi-WAN and DNS is a local, inside DNS caching resolver that gets policy-routed like all the other traffic.
-
Thank you!
Can you provide an example on this, please?
In reality, the best thing for Multi-WAN and DNS is a local, inside DNS caching resolver that gets policy-routed like all the other traffic.
Best regards
K
-
Set up a local caching resolver (or two) and tell your clients to use it (those) instead of anything on the firewall.
If you do that, the queries they make will be policy routed because those queries are not being sourced from the firewall itself.
-
Thank you,
But this specific case (and others as well), do not have other on premises devices, so I have to rely on pfsense only.
Would it be better if I set manually the DNS that gateways will use (8.8.8.8 or 1.1.1.1) and set DNS forwarder to query DNS servers sequentially?
Best
K
-
Yes.
You need DNS servers assigned in System > General with assigned gateways. At least one DNS server for each gateway.
Then either use the forwarder or use the resolver in forwarding mode. If you use the resolver in forwarding mode you probably want to disable DNSSEC.
