Multi-WAN with local DNS server (Pi-hole)

johnpoz

@nazar-pc said in Multi-WAN with local DNS server (Pi-hole):

Pi-hole forwards it (I think) to upstream DNS servers

And you allow that on pfsense, your not doing dns redirection on pfsense.

If pihole is asking say 1.1.1.1, its really no different than some client set to use 1.1.1.1, it would route via your policy routing just like any other client on your network.. Unless your doing some redirection of dns on pfsense.

nazar-pc

@johnpoz said in Multi-WAN with local DNS server (Pi-hole):

And then where does pihole go to lookup what you ask it?

Google/CloudFlare. I tried to have it go to Pi-hole first and then to pfSense, but it makes it impossible to SSH into Pi-hole before it is up and running (especially if it has issues) by machine name. I could use IP address, but it was more convenient to keep pfSense in control and Pi-hole as an optional side-car.

johnpoz

@nazar-pc said in Multi-WAN with local DNS server (Pi-hole):

but it was more convenient to keep pfSense in control and Pi-hole as an optional side-car.

Either way its a sidecar to be honest.. You either point your clients to pihole or you point them to pfsense or elsewhere. Simple enough to change where a client points to if pihole is down, or you don't want to use the filtering of pihole.

I have been running pihole for multiple years, have never had any issue with it coming up or going offline, etc.

Is your pihole using dhcp for its address? Not sure why the pihole IP would ever change - so to ssh into it, why would you not just set your ssh client to point to the IP. So you not have the connection saved in your ssh client, so you don't have to type in anything be it a IP or a fqdn? What if unbound dies on pfsense, now you can not resolve the fqdn of your pihole ;)

If you need to ssh something that runs your dns, yeah its a good idea to use the IP always - because if dns is down ;)

nazar-pc

@johnpoz said in Multi-WAN with local DNS server (Pi-hole):

Is your pihole using dhcp for its address?

It does, I have static mapping for it. Anyway, that is a bit off-topic here, there was no loops and issues with IP addresses. In fact nothing changed except the gateway as far as I understand.

And it fixed itself somehow after me fighting it for hours 🥲

nazar-pc

Okay, I see at least one problem, I think it is actually the one I saw before.
While Pi-hole works properly all the time, pfSense's DNS resolver only works as long as the WAN interface that was "default" at the moment of its startup is not down.

If one WAN is down and another becomes "default", I need to restart DNS server to get it fixed.

I read in the docs that I might need to provide two different DNS servers, one for each WAN, but as described before, I only have one DNS server in local network. I can try to give it two distinct IP addresses just to satisfy pfSense's UI, but it doesn't make a lot of sense to me, feels like it shouldn't be necessary.

johnpoz

@nazar-pc said in Multi-WAN with local DNS server (Pi-hole):

If one WAN is down and another becomes "default", I need to restart DNS server to get it fixed.

If you use the localhost as your outbound interface, shouldn't matter since unbound would be bound to the local host, and use routing whatever that might be at the time to get to the NS you have setup.

nazar-pc

@johnpoz said in Multi-WAN with local DNS server (Pi-hole):

@nazar-pc said in Multi-WAN with local DNS server (Pi-hole):

If one WAN is down and another becomes "default", I need to restart DNS server to get it fixed.

If you use the localhost as your outbound interface, shouldn't matter since unbound would be bound to the local host, and use routing whatever that might be at the time to get to the NS you have setup.

"Outgoing Network Interfaces" in resolver settings is set to "All" (I believe that is the default). Should I change it to localhost instead (doesn't make too much sense to me) or am I not understanding you correctly?

johnpoz

@nazar-pc yeah set it to just localhost, that is what I use..

Now for a test pull your wan connection.. Does dns still work..

edit: here you go... So I setup my 2.6 VM to have 2 wan connections. And to forward queries to 1.1.1.1 so easier for me to track where dns is going. So you can see by default its using the 3.100 interface, and the state it out the 3.100 interface

Notice the state is from 127.0.0.1

Now I took that interface offline via blocking its pings to the upstream pfsense interface it was using as its wan..

Notice the gateway changed to the 2.219 interface - see how the globe on the gateway changed. Now look at state for how it gets to 1.1.1.1, its still from 127.0.0.1, but outbound its using the wan2 connection on 2.219

When you use localhost as the outbound, how it gets to where it wants to go would be via normal routing. And the interface it was bound too didn't go away or having issues. When you bind it to an interface with the all, and that interface say isn't able to get anywhere.. How does unbound know?

to be honest I think that using localhost as the outbound interface would be a better default. But maybe that is just me.. But I always change my setup to use localhost vs all, or any specific interface. There are reasons why you might want to bind to only a specific interface. All or localhost does give you less control over which interface unbound "could" use to do a query outbound. But use of localhost is more robust in issues with any specific connection.. It will just use whatever the routing is to get to where its trying to go.

nazar-pc

@johnpoz When I change that to localhost, it stop working completely. Remember, in my case it is LAN->pfSense->Pi-hole->upstream. I guess it can't reach Pi-hole when I select localhost. Doesn't resolve any public DNS records even if both gateways are up.

johnpoz

@nazar-pc said in Multi-WAN with local DNS server (Pi-hole):

I guess it can't reach Pi-hole when I select localhost.

Ah that might be an issue because not doing nat.. The local host would get natted when going out whatever wan interface your using.

Select both your localhost and whatever lan side interface you might need to use to talk to internal NS, say your pihole.

But if you were forwarding to pihole for everything.. it shouldn't matter since any query from pihole on your network should be doing routing through pfsense to whatever pihole is trying to go too.

Did you turn off maybe killing states on a gateway change - I could see that as a problem because if you had an existing state out wan1.. And then wan1 wasn't working, any connection from pihole might be using that state and trying to go out wan1 still..

If your wanting to use failover for wan connections, you should leave pfsense killing states when a gateway goes offline. Pretty sure that is default for pfsense to kill all states when a wan goes away using that wan.

nazar-pc

@johnpoz said in Multi-WAN with local DNS server (Pi-hole):

Did you turn off maybe killing states on a gateway change - I could see that as a problem because if you had an existing state out wan1.. And then wan1 wasn't working, any connection from pihole might be using that state and trying to go out wan1 still..
If your wanting to use failover for wan connections, you should leave pfsense killing states when a gateway goes offline. Pretty sure that is default for pfsense to kill all states when a wan goes away using that wan.

It was turned off indeed. I might have changed it, even though I don't recall it. I think that was it, seems to work now. I'll monitor it further, but looks promising so far, thanks a lot!

Web interface becomes unresponsive for a minute or so when one of the interfaces goes down though (with 10 processes configured for it)

johnpoz

@nazar-pc so interface can be slow of no dns.. So while your dns is in the middle of switching over, or something - yeah you could prob see a slow down in the gui..

Lot of times it like checking for a update, and rest of gui doesn't want to load until that is finished sort of thing.