Routing Issue using pfSense on AWS

  • Hi Guys

    Strange routing issue I'm having here, and I'm out of ideas trying to figure out what the issue is.

    I have a pfSense device in AWS which is being used solely for a region-to-region VPN. The VPN is functional and routing traffic except in for one specific case.

    The pfSense device has a single interface which is configured via DHCP (standard in AWS). My AWS VPC has a DHCP options set which includes DHCP options for DNS servers - these DNS servers are AD domain controllers in a subnet which is routable over the VPN.

    The pfSense device has entries in its route table for these two DNS servers wwith a gateway of the MAC of the pfsense's own network interface (see 1.png). Obviously this route is breaking any traffic destined for these servers from the remote subnets. I'm not sure where this route is coming from, but it only appears in the route table when I have DHCP options for DNS servers set. If I disable the DNS servers options in the DHCP options set, these routes disappear and traffic starts to flow properly. If I 'route delete' the routes the traffic also starts to flow, until the routes are reacquired again a few minutes later.

    This seems to me like something that pfsense is doing as a result of finding a DNS option set in the DHCP route table. If so, it seems that there should be something I should be able to disable on the pfSense device to stop this happening.

    TL;DR; when pfSense acquires DNS servers from DHCP, why does it create routes to those DNS servers where the gateway is its own MAC?

    Cheers for any help!

  • …and I've just realised that this forum is specifically for multi-WAN, misread the routing title. Mods please feel free to move to somewhere more appropriate.


  • Just wanted to add that I also am having this issue; if I set the DHCP Option set to my Domain Controller, pfSense will try to route via the WAN mac address. (In my case I only have 1 WAN)
    If there's anyway to avoid this, please let me know. For now I'll disable the DHCP Option Set and set each client's DNS manually.

Log in to reply