Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Failover WAN not working properly

    Scheduled Pinned Locked Moved Routing and Multi WAN
    13 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      teefos @Gertjan
      last edited by

      @gertjan Okay, so I reverted everything and followed this video instead.

      As soon as I change the gateway away from "default" to "PreferWAN1" on the LAN firewall allow all rule, DNS stops working.

      I am not using pfSense for DNS, I'm using Pi-hole with upstream servers of 1.1.1.1 and 1.0.0.1

      GertjanG V 2 Replies Last reply Reply Quote 0
      • GertjanG
        Gertjan @teefos
        last edited by

        @teefos

        The pi hole is just like any other LAN based device, except that it only communicates over 'destination port 53'.

        Do you mean all communication stops ?

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        T 1 Reply Last reply Reply Quote 0
        • T
          teefos @Gertjan
          last edited by

          @gertjan

          I can still ping stuff and access websites by IP, but not by domain. As soon as I switch the gateway on the firewall rule back to Default, everything works normal again.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @teefos
            last edited by

            @teefos said in Failover WAN not working properly:

            As soon as I change the gateway away from "default" to "PreferWAN1" on the LAN firewall allow all rule

            This rule directs any traffic to the WAN1 gateway. You may have to add an additional rule to the top for allowing DNS to the Pi hole.

            T 1 Reply Last reply Reply Quote 0
            • T
              teefos @viragomann
              last edited by

              @viragomann That worked, thanks guys!

              Would you care to explain why I had to add that rule to the top? WAN1 is already set as the default gateway in the general settings, so why would it be different when using the gateway group (which in turn uses WAN1?)

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @teefos
                last edited by

                @teefos
                When you state a gateway in a firewall pass rule, it directs any matching traffic to that gateway or even to the active one out of the gateway group (Policy Routing).
                So the packets won't reach your internal pi hole.

                For passing internal traffic between interfaces you need to set the gateway option to "default".

                T 1 Reply Last reply Reply Quote 0
                • T
                  teefos @viragomann
                  last edited by

                  @viragomann I see.

                  I have several VLANs and some of them can communicate freely right now using any rules on each VLAN. If I understand you correctly, after changing the gateway away from Default on the other VLANs as well, I will have to create additional allow rules applied on top, for them to still be able to communicate with each other?

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @teefos
                    last edited by

                    @teefos
                    It's pretty not clear why you want to specify a gateway in the rules at all. I can't see any reason for that.

                    If you state a gateway you lose benefit of the failover group.

                    T 1 Reply Last reply Reply Quote 0
                    • T
                      teefos @viragomann
                      last edited by

                      @viragomann I thought that's what I had to do to enable the failover functionality.

                      Or is it this one I need to change?

                      alt text

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @teefos
                        last edited by

                        @teefos
                        You have to select the failover group there.

                        T 1 Reply Last reply Reply Quote 0
                        • T
                          teefos @viragomann
                          last edited by

                          @viragomann Well that's great. Thank you so much

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.