Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi-Wan and OpenDNS

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 2 Posters 684 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      turk182
      last edited by turk182

      Current Setup :

      4 WAN links ; 1 LAN on an older Intel Xeon X3220, with 8 Gig. RAM
      DNS Forwarder -> DISABLED ;
      DNS Resolver -> DISABLED ;
      Allow DNS server list to be overridden by DHCP/PPP on WAN : Disabled ;
      Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall : Enabled ;

      FOR DNS : Active Directory
      Active Directory Forwarders setup as:
      208.67.222.222
      208.67.220.220

      PFSense Firewall Rules allows only the OpenDNS Servers listed aboves on port 53 and denies all other DNS servers.
      Question:

      General Setup -> Settings -> WAN 1 DNS Server : 208.67.222.222 ;
      General Setup -> Settings -> WAN 2 DNS Server : 208.67.220.220 ;

      In the General Setup Settings for DNS, is it ok NOT TO ASSIGN a DNS server for two of the WAN links : WAN 3 and WAN 4 ?

      Reason for this is to ensure that connections use the OpenDNS Servers.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by Derelict

        In that case those settings will only be used for queries from the firewall itself.

        Honestly, I would probably just tell pfSense to also use the inside AD servers for DNS resolution if I had a setup like that.

        Set the DNS servers in System > General Setup to the AD server addresses without a gateway set and be sure DNS Server Override IS NOT checked and Disable DNS Forwarder IS checked. (looks good)

        That will result in an /etc/resolv.conf on pfSense itself containing only the AD servers as nameservers. When the AD servers go out to get answers, the queries come into the interface and can be policy routed however you desire.

        Else you need a different DNS server for every WAN or you need to enable default gateway switching which is a pretty big hammer considering you can just use inside servers to resolve names.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T Offline
          turk182
          last edited by

          Thanks for responding. Will give it a try.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.