Dual WAN+4G Failover - how to block DNS lookups out on non active WAN?
I am trying to setup a Dual WAN Failover scenario with WAN (static IP interface) + 4G modem WAN2 interface using Gateway Group with Tier1 on WAN and Tier2 on WAN2mobile.
- I have defined one DNS on each WAN (126.96.36.199) and WAN2mobile (188.8.131.52)
- I have tried both Forwarding and Non-Forwarding mode on DNS Resolver. (but will use the Forwarding mode as it will work better with MultiWAN according to Jim Pingle)
- I have tied the outgoing interfaces in DNS Resolver to WAN + WAN2. (to allow DNS traffic on any of these interfaces)
- I have changed the rules to use the Gateway Group in for all the relevant rules.
The problem I am struggeling with is:
How can I prevent the system to NOT send out any DNS requests on WAN2 until this interface becomes active at the failover scenario. (Tier2 becomes active)
I have tried with and without the "Default gateway switching" but no difference. (Think this should be off, when doing "Gateway Group" AFAIK ?!)
And I do want to use pfSense as resolver for the clients as I want to be able to use the Host override function for local lookups of local services.
I would like the WAN2 interface to be almost silent and only possible send out some local ARP requests, some local Broadcasts and
possible some unfrequent pings by dpinger to verify connectivity of the interface. I have already disabled all the SSDP packets on
the interface today with rules.
As it is now, I am seeing a lot of DNS requests originating from the pfSense WAN2mobile IP-interface IP towards external DNS servers
and it is NOT triggered by any local LAN PC as the only PC currently using this router is my desktop PC and I have done a packet capture
on the incoming LAN (in pfSense) using promiscious mode and could not see any device trigging the DNS requests seen out on WAN2.
Am i doing something wrong or is it a way to use pfSense "DNS Resolver" in a MultiWAN GatewayGroup scenario but only having it send
out any DNS requests to WAN2 when Tier2 becomes active.
I want to avoid any un-necesary traffic on the WAN2 interface when it is only idling waiting to take over in a failover scenario.
As the subscription has a cap limit / month on the 4G I do not want to waste any traffic.
Another strange thing is that If I have Forwarding mode set in DNS Resolver and have 184.108.40.206 IP defined as DNS for WAN2
and 220.127.116.11 for WAN, I see DNS forwarding to both 18.104.22.168 and 22.214.171.124 on the WAN2 interface.
23:38:32.516036 IP 192.168.125.2.61987 > 126.96.36.199.53: UDP, length 63
23:38:32.532043 IP 192.168.125.2.51270 > 188.8.131.52.53: UDP, length 53
23:38:32.617246 IP 184.108.40.206.53 > 192.168.125.2.5918: UDP, length 111
23:38:32.679359 IP 192.168.125.2.11608 > 220.127.116.11.53: UDP, length 56
23:38:32.679987 IP 18.104.22.168.53 > 192.168.125.2.27262: UDP, length 149
23:38:32.691486 IP 22.214.171.124.53 > 192.168.125.2.51270: UDP, length 149
23:38:32.691613 IP 126.96.36.199.53 > 192.168.125.2.61987: UDP, length 111
23:38:32.714615 IP 188.8.131.52.53 > 192.168.125.2.11608: UDP, length 220
The following is defined in General - DNS Server Settings:
DNS Server 1 184.108.40.206 WANGW - wan - 87.x.x.1
DNS Server 2 220.127.116.11 WAN2MOBILEGW - opt3 - 192.168.125.1
What I could see in the /etc/resolv.conf is:
I did a small test where I removed all DNS entries in General and then all DNS lookup stopped working from clients.
$ cat /etc/resolv.conf
Then I added IPs again without selecting any gateways and DNS lookup started working again even without any gateways selected.
$ cat /etc/resolv.conf
- How is the DNS defined in General actually tied to a specific gateway i FreeBSD when defined in pfSense?
Seems like even if I define one DNS to only one Gateway, the request is sent to both DNS IPs defined
on all interfaces that has been defined in DNS Resolver as outgoing.
eg. 18.104.22.168 and 22.214.171.124 is sent to both WAN and WAN2
126.96.36.199 -> WAN
188.8.131.52 -> WAN2
Also I still do not know how to limit an outgoing request based on the Gateway group Tier1 or 2 selection mode.
(eg. only send DNS on interface that is currently active in the group)
![DNS Resolver.jpg](/public/imported_attachments/1/DNS Resolver.jpg)
![DNS Resolver.jpg_thumb](/public/imported_attachments/1/DNS Resolver.jpg_thumb)
I found what was needed.
I needed a rule on WAN and WAN2 to force 184.108.40.206 tcp/udp port 53 and 220.127.116.11 tcp/udp port 53 to use "default" gateway instead of dualwan group.
Now it looks OK.