Dual WAN+4G Failover - how to block DNS lookups out on non active WAN?

  • Hello,
    I am trying to setup a Dual WAN Failover scenario with WAN (static IP interface) + 4G modem WAN2 interface using Gateway Group with Tier1 on WAN and Tier2 on WAN2mobile.

    • I have defined one DNS on each WAN ( and WAN2mobile (
    • I have tried both Forwarding and Non-Forwarding mode on DNS Resolver.  (but will use the Forwarding mode as it will work better with MultiWAN according to Jim Pingle)
    • I have tied the outgoing interfaces in DNS Resolver to WAN + WAN2. (to allow DNS traffic on any of these interfaces)
    • I have changed the rules to use the Gateway Group in for all the relevant rules.

    The problem I am struggeling with is:
    How can I prevent the system to NOT send out any DNS requests on WAN2 until this interface becomes active at the failover scenario. (Tier2 becomes active)
    I have tried with and without the "Default gateway switching" but no difference. (Think this should be off, when doing "Gateway Group" AFAIK ?!)
    And I do want to use pfSense as resolver for the clients as I want to be able to use the Host override function for local lookups of local services.

    I would like the WAN2 interface to be almost silent and only possible send out some local ARP requests, some local Broadcasts and
    possible some unfrequent pings by dpinger to verify connectivity of the interface. I have already disabled all the SSDP packets on
    the interface today with rules.

    As it is now, I am seeing a lot of DNS requests originating from the pfSense WAN2mobile IP-interface IP towards external DNS servers
    and it is NOT triggered by any local LAN PC as the only PC currently using this router is my desktop PC and I have done a packet capture
    on the incoming LAN (in pfSense) using promiscious mode and could not see any device trigging the DNS requests seen out on WAN2.

    Am i doing something wrong or is it a way to use pfSense "DNS Resolver" in a MultiWAN GatewayGroup scenario but only having it send
    out any DNS requests to WAN2 when Tier2 becomes active.

    I want to avoid any un-necesary traffic on the WAN2 interface when it is only idling waiting to take over in a failover scenario.
    As the subscription has a cap limit / month on the 4G I do not want to waste any traffic.

    Best regards
    Dan Lundqvist
    Stockholm, Sweden

    Another strange thing is that If I have Forwarding mode set in DNS Resolver and have IP defined as DNS for WAN2
    and for WAN, I see DNS forwarding to both and on the WAN2 interface.

    23:38:32.516036 IP > UDP, length 63
    23:38:32.532043 IP > UDP, length 53
    23:38:32.617246 IP > UDP, length 111
    23:38:32.679359 IP > UDP, length 56
    23:38:32.679987 IP > UDP, length 149
    23:38:32.691486 IP > UDP, length 149
    23:38:32.691613 IP > UDP, length 111
    23:38:32.714615 IP > UDP, length 220

    The following is defined in General - DNS Server Settings:
    DNS Server 1    WANGW              - wan - 87.x.x.1
    DNS Server 2    WAN2MOBILEGW - opt3 -

    What I could see in the /etc/resolv.conf is:
    search mrzaz.com

    I did a small test where I removed all DNS entries in General and then all DNS lookup stopped working from clients.
    $ cat /etc/resolv.conf
    search mrzaz.com

    Then I added IPs again without selecting any gateways and DNS lookup started working again even without any gateways selected.
    $ cat /etc/resolv.conf
    search mrzaz.com

    - How is the DNS defined in General actually tied to a specific gateway i FreeBSD when defined in pfSense?

    Seems like even if I define one DNS to only one Gateway, the request is sent to both DNS IPs defined
    on all interfaces that has been defined in DNS Resolver as outgoing.

    eg. and is sent to both WAN and WAN2
    instead of -> WAN -> WAN2

    Also I still do not know how to limit an outgoing request based on the Gateway group Tier1 or 2 selection mode. 
    (eg. only send DNS on interface that is currently active in the group)

    ![DNS Resolver.jpg](/public/imported_attachments/1/DNS Resolver.jpg)
    ![DNS Resolver.jpg_thumb](/public/imported_attachments/1/DNS Resolver.jpg_thumb)

  • I found what was needed.

    I needed a rule on WAN and WAN2 to force tcp/udp port 53 and tcp/udp port 53 to use "default" gateway instead of dualwan group.
    Now it looks OK.

Log in to reply