Failover enabled but DNS not respecting rule



  • version: 2.4.2-RELEASE-p1

    The setup:
    GW group:
    WAN1 (default GW) Tier1 DNS: 1.2.3.4
    WAN2 Tier2 DNS 5.6.7.8

    DNS forwarding enabled. DHCP sets router's IP as DNS, but few clients uses 8.8.8.8 apparently.

    Works as planned and as documented. (almost) all traffic goes via WAN1 as expected.
    However all queries to 8.8.8.8 are routed via WAN2. That should not happen. I don't have any overriding rules for TCP/UDP53. Those queries should go via WAN1 as everything else IMHO. I don't have anything 8.8.8.8 related in router settings.

    While debugging the above issue I noticed that even if I set WAN2 to Tier1, all traffic still goes via WAN1. That is what I want actually, but it should be loadbalancing as round robin, right?

    Axel.



  • I have set my setup like this:
    Youtube Video

    So I can see that it is not exactly according to best practices. So I changed LAN rule to GW group and GW2 Tier to 2. Failover part works as planned - naturally. But… for some reason 8.8.8.8:53 still gets routed to the Passive WAN2 interface. How come PFSense decides that those DNS queries ONLY should go to WAN 2 interface while the Default GW is WAN1 and Gigs of bytes go thru WAN1 as configured... weird.
    In a normal situation, this would not matter but I use "pay as you go" WAN2 ISP which means that daily fee triggers when traffic goes beyond the threshold level. And... it goes with those DNS queries easily...

    Axel.



  • Ok, I think this is what happened:
    Since the last failover, there was 8.8.8.8 state left active. And probably it was being used so frequently that it stayed active days after Failback. For me, it looked like new 8.8.8.8 queries were routed to the passive node, but actually, PFSense respected active state and routed new queries to WAN2. After deleting the remaining state manually, no more "weird" 8.8.8.8 traffic to WAN2.

    Axel.


Log in to reply