Multi-WAN DNS problems…. among other things.



  • I have a pfSense box running on a P4 2.4GHZ, 2GB DDR RAM, 40G HDD, 1 Internal Intel NIC, 2 PCI Realtek NIC's.  My setup is as follows:

    WAN: static IP on T1 modem
    WAN2: static IP on second T1 modem
    LAN: acting as NAT gateway, no DHCP

    I have used the load balancing option and created a group with WAN and WAN2 in it.  I hae created rules for all traffic to go thru the load balancing group, and any secure traffic (SSH, HTTPS, POP3s, SMTPs, etc) to go thru one single WAN or another.

    The DNS servers provided by the telco are the same for both T1's (note that both T1's have different IP's and gateways, but are a 30bit subnet) and are set in the general setup.

    I have tried with and without Squid/Squidguard installed and get the same results.  It will resolve addresses sometimes and the others will not.  Sometimes I have to refresh the page 3 - 5 times before it loads.

    My ping times on the network and outside the network are good, I have placed a sniffer on the network and have traffic well within tolerable levels.  The error I get is the pfSense page that "The requested URL could not be retrieved".

    Also I am unable to download files from 99.9% of websites (dell, hp, etc..) it just gives me a "page cannot be displayed" error.

    Any thoughts or tricks are GREATLY appreciated!

    OBTW, the internal clients use the Windows 2003 AD controller as DNS1 and the pfSense router as DNS2.



  • It will resolve addresses sometimes and the others will not.  Sometimes I have to refresh the page 3 - 5 times before it loads.

    That can happen if sticky connections is enable. Maybe gateway or mtu is wrong http://forum.pfsense.org/index.php/topic,9301.0.html

    Also I am unable to download files from 99.9% of websites (dell, hp, etc..) it just gives me a "page cannot be displayed" error.

    If the downloads are ftp it could be
    2. If you have a restrictive ruleset or are utilizing policy based routing for multiple-wans then ensure that you have permitted traffic to 127.0.0.1 / ports 8000-8030. IE: allow LAN subnet to 127.0.0.1 8000-8030. This rule should be on top of all other LAN rules that utilize policy based routing.

    As I have stated before I'm not a big fan of loadbalancing pools. Life is just easier with failover pools and a split user network segment of ip's.

    A good read http://forum.pfsense.org/index.php/topic,7001.0.html



  • Great suggestions, they made a world of difference!  I removed Sticky Connections, changed the MTU to 1400, set the 127 rule and set the monitor for each WAN to it's own gateway.  The network seems to be much happier, I can download files and webpages are working most of the time.

    It seems like as the day goes on the returns from Squid that DNS is unable to resolve become more and more frequent.  A quick restart of the pfSense box solves the issue.  Any other ideas?

    Thanks again!



  • Just a side note.  Removing Squid and using the box soley as a router fixes the problem.  Definately a Squid cache issue.  But I require filtering, so either I fix Squid or place a filter appliance between the network and the pfSense box.  Any ideas on the Squid issue not resolving names?


Locked