Multi WAN and DNS - over four gateways



  • Hi,

    we're setting up an pfsense with three separate WAN interfaces to replace the hardware we're currently using. We have our main connection, one to failover to in case the main one fails, and a separate one for, amongst others, VoIP. So two out of three are being actively used at any time. Each of the three has both IPv4 and IPv6 connectivity, so that's six gateways in total.

    In the 'DNS Server Settings' section of the 'General Setup' it says "When using multiple WAN connections there should be at least one unique DNS server per gateway."

    As far as I can tell this isn't possible for us, as we can only configure four. Ideally we'd want to configure two DNS servers to have a fallback, which would require us to configure twelve name servers. Does anyone have any suggestions on how we should set this up?

    Kind regards,
    Bartosz



  • I'm not sure this is still a thing since DNS resolver became the default for new installations.

    It's possible some edge cases might still make use of it, but generally localhost is used for DNS


  • Rebel Alliance Developer Netgate

    Only four DNS servers can be configured as forwarders. These are only used by clients for the DNS Forwarder or the DNS Resolver with its forwarding mode option activated.

    You can activate default gateway switching (System > Advanced, Miscellaneous tab) and then if your default gateway WAN goes down, the next one in line will be used. Leave at least one DNS server, preferably a public one such as 8.8.8.8, configured without a gateway set on System > General Setup if you choose to go that route. That, or use the DNS Resolver in non-forwarding mode.



  • Hi,

    thank you and heper for your replies.

    @jimp:

    Only four DNS servers can be configured as forwarders. These are only used by clients for the DNS Forwarder or the DNS Resolver with its forwarding mode option activated.

    These won't be used by the clients, so that's okay.

    @jimp:

    You can activate default gateway switching (System > Advanced, Miscellaneous tab) and then if your default gateway WAN goes down, the next one in line will be used. Leave at least one DNS server, preferably a public one such as 8.8.8.8, configured without a gateway set on System > General Setup if you choose to go that route. That, or use the DNS Resolver in non-forwarding mode.

    Note that this won't quite work as we still have two active gateways with both IPv4 and IPv6 active, so if we adhere to the statement 'When using multiple WAN connections there should be at least one unique DNS server per gateway.' We already have four minimum, leaving no room for any public ones. Meaning we might as well rely purely on public ones, and ignore the requirement.

    Now, I just realised that since to of the three WAN connections are with the same provider, say ISP1, those will share the same upstream name servers. Those also happen the two which will be active under normal circumstances. So I think everything should work if I set it up as follows:

    | DNS Server1 | ISP1 IPv4 nameserver1 | none |
    | DNS Server2 | ISP1 IPv6 nameserver1 | none |
    | DNS Server3 | ISP2 IPv4 nameserver1 | Backup WAN IPv4 Gateway |
    | DNS Server4 | ISP2 IPv6 nameserver1 | Backup WAN IPv6 Gateway |

    This will still violate the unique DNS server per gateway requirement. But if I understand things correctly this should work, and not even require 'default gateway switching' as we use a Gateway group for our main and backup WAN. Could you please confirm?

    Thank you.

    Having said that, it still feels a bit fragile, as we'll have a single nameserver per gateway and only get away with that because we're lucky to have two of our WANs share the same ISP. Is there anywhere to file a feature/improvement request?

    I think it should be possible to set at least two nameserver per (WAN) gateway. I.e. have the limit depending on the amount of (WAN) gateways instead of an overal limit of four. But as long as that limit's there, the text below it shouldn't state the aforementioned requirement as in many cases, even with just two WANs, it will be impossible to satisfy.

    Kind regards,
    Bartosz


  • Rebel Alliance Global Moderator

    "This will still violate the unique DNS server per gateway requirement."

    Who said it was a "requirement"  It is no such thing.. It is a reminder to user that if you have isp A and B and are using dns provided by them, that isp A dns most likely will not answer queries when your not on their network.  So if you ask isp A dns from your isp B address your prob not going to get an answer.  That is the point of this note..  Its a reminder to home users.. Remember pfsense gets a lot of new and home type users that don't know bupkis about networking or dns ;)

    To be honest, why are you not just using the resolver?  Which is out of the box, gives you dnssec support, etc.  And now all of that dns per gateway all goes out the window!!


  • Rebel Alliance Developer Netgate

    That isn't what the suggestion means.

    You should route at least one DNS server out each WAN if possible. It does not have to be a DNS server for that ISP, it can be public. The important part is that you have a DNS server set for each WAN. You don't need two per WAN, the redundancy is handled by having multiple WANs, putting two per WAN is unnecessary overkill, especially in that situation.

    The DNS Resolver in resolving mode doesn't even use those, it contacts root DNS servers and authoritative DNS servers directly, not forwarders. So long as you have default gateway switching on, it will handle all of the resolution.

    As an alternative, assign public DNS servers directly to clients and then whatever WAN they get policy routed out of will handle their DNS requests, so the firewall DNS configuration will not matter.



  • @jimp:

    That isn't what the suggestion means.

    You should route at least one DNS server out each WAN if possible. It does not have to be a DNS server for that ISP, it can be public. The important part is that you have a DNS server set for each WAN. You don't need two per WAN, the redundancy is handled by having multiple WANs, putting two per WAN is unnecessary overkill, especially in that situation.

    The DNS Resolver in resolving mode doesn't even use those, it contacts root DNS servers and authoritative DNS servers directly, not forwarders. So long as you have default gateway switching on, it will handle all of the resolution.

    As an alternative, assign public DNS servers directly to clients and then whatever WAN they get policy routed out of will handle their DNS requests, so the firewall DNS configuration will not matter.

    Ok, understood. Thanks for the clarifications!.


  • Rebel Alliance Global Moderator

    "You should route at least one DNS server out each WAN if possible. "

    Agreed.. But you also have to remember that that dns server needs to be reachable from that wan.. Putting in isp A dns on your isp B wan normally not going to work ;)

    But this only comes into play when using forwarders for your dns.. Once you use the resolver none of that matters.


  • Rebel Alliance Developer Netgate

    Which is also why we recommend using public DNS servers :-)