Failover enabled but DNS not respecting rule
WAN1 (default GW) Tier1 DNS: 22.214.171.124
WAN2 Tier2 DNS 126.96.36.199
DNS forwarding enabled. DHCP sets router's IP as DNS, but few clients uses 188.8.131.52 apparently.
Works as planned and as documented. (almost) all traffic goes via WAN1 as expected.
However all queries to 184.108.40.206 are routed via WAN2. That should not happen. I don't have any overriding rules for TCP/UDP53. Those queries should go via WAN1 as everything else IMHO. I don't have anything 220.127.116.11 related in router settings.
While debugging the above issue I noticed that even if I set WAN2 to Tier1, all traffic still goes via WAN1. That is what I want actually, but it should be loadbalancing as round robin, right?
I have set my setup like this:
So I can see that it is not exactly according to best practices. So I changed LAN rule to GW group and GW2 Tier to 2. Failover part works as planned - naturally. But… for some reason 18.104.22.168:53 still gets routed to the Passive WAN2 interface. How come PFSense decides that those DNS queries ONLY should go to WAN 2 interface while the Default GW is WAN1 and Gigs of bytes go thru WAN1 as configured... weird.
In a normal situation, this would not matter but I use "pay as you go" WAN2 ISP which means that daily fee triggers when traffic goes beyond the threshold level. And... it goes with those DNS queries easily...
Ok, I think this is what happened:
Since the last failover, there was 22.214.171.124 state left active. And probably it was being used so frequently that it stayed active days after Failback. For me, it looked like new 126.96.36.199 queries were routed to the passive node, but actually, PFSense respected active state and routed new queries to WAN2. After deleting the remaining state manually, no more "weird" 188.8.131.52 traffic to WAN2.