Multi Wan DNS issue



  • Hi

    I have recently set up my first pfsense router and am needing some help configuring it.

    I am on version 2.4.2

    My set up is this:

    2 x WAN connections in a gateway group (both tier 2 same ISP with the same gateway) with Wan 1 as the default

    2 x open vpn connections in a separate gateway group(Tier 1)  ONe connecting over wan 1 and one connecting over wan 2

    I have the DNS resover in forwarding mode and dns servers set ( google and Open VPN) with the with : Allow DNS server list to be overridden by DHCP/PPP on WAN  UNchecked

    I ahve squid proxy enabled with wpad set up.

    I have one LAN and I have it set so IP address range 192.168.1.21 – 192.168.1.199 has all traffic go out over the load balanced WAN interface. and the Range ...200- 254 goes out over the load balanced OpenVPN connections.

    The VPN connections are for my web browsing and torrenting.  so I do not want my actual IP address showing at any point

    MY firewall rules are this:

    IPV4| Source: VPN_network range (200-254) :| port * | destination * | Gateway: OpenVPN_LOadbalanging

    IPV4| Source: Normal_network range (20-199) :| port * | desttnation * | Gateway: Multi_ISP_WAN_Gateway

    I have removed the default allow all over the default gateway.  If I disable the Open VPN services traffic will not go out the WAN gateways -- which is what I want.

    now my problem is this:

    When I do an IP address lookup / DNS leak(e.g. whatsmyip.org)  test it will show the IP address for my WAN 1 connection and not the VPN connection, even though the traffic ( confirmed via speed test) is going out via the correct gateways.  I think it must be getting DNS queries over the default WAN

    I can fix it by setting the default gateway to be one of the open vpn gateways ::: however if this interface drops it brings down the connection for the entire network.  which is why I dont ahve it as the default.

    any suggestions on how to stop this get it working?  As this is for torrenting and private browsing having my main ISP's IP address accessable is not desirable.



  • anyone?  :'(



  • anyone have any ideas as how to fix this?



  • You are probably using the pfSense box's unbound as your one and only resolver. So naturally per your rules since it is the .1 address it goes out over WAN. Your clients are simply querying the pfSense box.

    For the clients in the .200-.254 range, set the DNS to be either that provided by your OpenVPN provider or simply google dns. That will force the clients to query something other than the .1, and make it go out your vpn connection.



  • @yellowbrick:

    You are probably using the pfSense box's unbound as your one and only resolver. So naturally per your rules since it is the .1 address it goes out over WAN. Your clients are simply querying the pfSense box.

    For the clients in the .200-.254 range, set the DNS to be either that provided by your OpenVPN provider or simply google dns. That will force the clients to query something other than the .1, and make it go out your vpn connection.

    thanks I did consider this but removing the .1 from the dns on the local machines would remove the ability for those machines to use local resources via host name e.g. my fileserver.

    is there a firewall rule or something I can put in place to force all these queries over the OpenVPN load balanced connection?



  • What you are trying to do has nothing to do with the firewall as such. You will want to implement split dns for your clients. Probably the easiest way to do this would be via the clients' resolv.conf files, or equivalent.


Log in to reply