[SOLVED] Dual WAN failover, can't access 99% of the websites. Need help
-
So, i set up everything but when I unplug main WAN i can't browse anywhere except netgate forum and 2 websites related to our VOIP services that we pay for.
I don't have squid set up yet.
Here are my firewall rules:
I tried to add port 443 in Floating Rules but didn't make any difference.
I am not network guru but definitely not noobie; however, certain little things I missed or simply don't understand yet. -
@pfrickroll Do you have automatic Outbound NAT rules or manual?
If manual, you have to add permission for the LAN and localhost (for pfSense to do DNS lookups and software updates) for the second WAN connection. Although you shouldn't be able to access anything if that wasn't setup.
It could be however that if LAN access is enabled but 127.0.0.1 is not, pfSense is somehow using cached DNS results thus why only some sites work.
You shouldn't need any floating rules as you already directed all LAN traffic over DualWan in the LAN rule
This is what mine looks like:
.
-
all rules are automatic, i didn't set up any. I also disabled DNS forwarder
-
@pfrickroll How are you handling DNS then? Hard coding on every client or using resolver?
If you use DNS Resolver make sure both WAN interfaces are selected for Outgoing Network Interfaces. It probably has ALL selected as default which is usually fine, depending on if you have any other interfaces that might not be appropriate (I have VPNs for example I don't want DNS going over).
-
@alex-atkin-uk said in Dual WAN failover, can't access 99% of the websites. Need help:
@pfrickroll How are you handling DNS then? Hard coding on every client or using resolver?
If you use DNS Resolver make sure both WAN interfaces are selected for Outgoing Network Interfaces. It probably has ALL selected as default which is usually fine, depending on if you have any other interfaces that might not be appropriate (I have VPNs for example I don't want DNS going over).
By hard coding, do you mean this?
Here is my LAN rules, i do have DUALWAN group set up and its in LAN rules as well
-
@pfrickroll Ah I see, that doesn't stop the rest of the LAN using DNS Forwarder, only pfSense itself. Did you actually want to do that or disable the DNS Forwarder entirely? (not sure why you would do either tbh)
For starters I'd keep it simple, keep Disable DNS Forwarder ticked, untick DNS Server Override and only have 8.8.8.8 and 8.8.4.4 in the DNS Servers list, so we know only a single reliable provider is being used.
I got a telling off by Netgate before for mixing DNS providers as it causes inconsistency in DNS lookup results. It usually works fine, but its not recommended.
-
@alex-atkin-uk So, i left only both Google DNS IPS and still samething. I then enabled DNS forwarder and still nothing. I am not profy yet, when I enable DNS forwarder in services do i have to tick any other options there?
-
Also in system > routing should I leave monitor ip blank that will reflect the my comcast/verizon gateways or put there 8.8.8.8 for first gateway and 8.8.4.4 for 2nd?
-
@alex-atkin-uk So, I enabled DNS forwarder without selecting anything else in the options and then I put monitor IPs for Comcast 8.8.8.8 and for Verizon 8.8.4.4 and everything began working as intended.
I also appreciate your time responding to my post and helping me out. -
Read this: https://docs.netgate.com/pfsense/en/latest/book/routing/gateway-settings.html#monitor-ip very carefully and then think about what you are currently doing.
-
@grimson said in Dual WAN failover, can't access 99% of the websites. Need help:
Read this: https://docs.netgate.com/pfsense/en/latest/book/routing/gateway-settings.html#monitor-ip very carefully and then think about what you are currently doing.
You mean as of if I am doing something completely wrong and careless?
-
@grimson Ok, I see it now. Lots of things makes sense, thank you.
