Multi Wan Question

  • I have followed the guides on setting this up.

    I am runninging the official RC1 build.

    I have one LAN interface, and WAN and WAN1. 
    I have a gateway for each WAN interface.  With no default route selected.

    I have built 3 Gateway groups:
    WAN and WAN1 LB Group
    WAN down fail to WAN1 Group
    WAN1 down fail to WAN Group

    Under Firewall Rules for LAN I have 3 Entries they are in the list in this order:
    One uses WANandWAN1 Gateway
    One uses WANFailovertoWAN1 Gateway
    One uses WAN1FailovertoWAN Gateway

    Everything works from the LAN as I expect it to.  I disconect WAN NIC and everything routes over WAN1, I unblug WAN1 and everything routes over WAN.

    Where I hit an issue is the pfSense box.  All traffic goes over WAN.  If WAN1 is DCed not a problem, but when WAN goes down I can't seem to route out to the net from the pfSense box.

    Anyone have any ideas on what I should look at?


  • After more testing, I can only get DNS lookups from the internet from pfSense box if WAN is up.  So how do I fix this?

  • Netgate Administrator

    In the instructions for 1.2.3 (I've not tried on 2.0) it says you must have one DNS server from each WAN. I have found this to be true but in my case one connection is far more reliable than the other so I just use that.
    In fact I use Google's public DNS which should be accessible from either WAN but I guess there may be a routing issue.


  • Ya I am using googles public as well.

    I can do a ping -t and when WAN is up all good when WAN goes down it stops responding.  Even though WAN1 is up.  I can ping the same from a host behind the firewall and I don't loose a packet.

  • Hewdy,
    In 2.0 you set one or more DNS servers under System-General Setup. You can force pfsense (and therefore clients on your network that use pfsense as dhcp/dns server) to use the DNS server for the proper ISP on each wan that is up. (Many ISP's only allow recursive lookups for requests from their own IP ranges so it'd be important to do that if you use ISP dns servers.)  If you have only publicly available DNS server(s) setup there AND you don't have the box checked to allow your dial-up wan's to override it then it should work unless your ISP blocks port 53 (like if they want to force you to use their DNS) or if your pfsense rules are stopping it. Did you modify the default lan rule or add any lan/wan rules that might come into play? (Very odd that it'd just block DNS but without seeing what your rules it is tough to do more than guess.) Of course many other possibilities like messed up routes/gateways/groups or such as well but maybe that gives you a few to check on.

  • Changed DNS… it doesn't actually block DNS.  the problem is when the default WAN goes away I can't get traffic from the console to go out the secondary.  From the host it works.

    Now I have gotten farther into the problem.. So here is problem 2 which I think may be related.  I have a traffic routing in on port 80 to a pool.  the rule is setup to allow on both interfaces.. however if I try to go to the secondary it doesn't allow the traffic.. Well actually I see an allow in the logs, but then I get a denied on the path back if I am reading this correctly..

    Blocked Apr 8 21:20:26 LAN  TCP:SA 
    Passed  Apr 8 21:20:17 WANXO  TCP:S

    I am sure I am missing something.  There aren't a lot of guides on this that have everything.

  • After combing the forums I found this link.  I believe this is the exact problem I am having…,35264.0.html

    Thanks to everyone for the feedback.

Log in to reply