Multiple WAN DNS issue when primary fails
-
This is my first attempt at pfSense. I must admit, I am very impressed with it; installation was smooth (aside from one confusing question I'll report on later) and it worked out of the box supporting all 3 NICs. Once the initial walk-through was complete, everything just worked to connect the LAN to the primary WAN. Excellent.
On to my setup. I used pfSense v2.0 i386 downloaded yesterday. I am running 2 cable modems. I have 3 interfaces setup: WAN, WAN2, and LAN.
WAN IP = 75.xxx.xxx.81
WAN Gateway = 75.xxx.xxx.1
WAN DNS (as shown in Status->Interfaces) = 127.0.0.1, 209.xxx.xxx.61, 209.xxx.xxx.62, 208.67.220.220, 208.67.222.222; Set to 208.67.220.220 in System->General Setup
WAN Interface is Enabled
WAN Type = DHCP
WAN Interface is DefaultWAN2 IP = 65.xxx.xxx.79
WAN2 Gateway = 65.xxx.xxx.1
WAN2 DNS = ? NOT shown in Status->Interfaces. But I set it to 208.67.222.222 in System->General Setup
WAN2 Type = DHCP
WAN2 Interface is EnabledLAN IP of pfSense=192.168.1.1
System->Gateways->Gateway Tab has the following Gateways:
Name=WAN (default) Gateway=75.xxx.xxx.1 Interface WAN Dynamic Gateway
Name=WAN2 Gateway=65.xxx.xxx.1 Interface WAN2 Dynamic GatewaySystem->Gateway Groups->Groups Tab has the following group:
Name=Wan1BalanceWan2 WAN=Tier 1 WAN2=Tier 1 Trigger Level=Packet Loss or High LatencySystem->General Setup has the following altered from default:
DNS Server 208.67.220.220 Uses gateway = WAN
DNS Server 208.67.222.222 Uses gateway = WAN2
Allow DNS server list to be overridden by DHCP/PPP on WAN = CHECKEDMY PROBLEM:
Test 1: I boot up pfSense with just WAN connected. I can get online just fine. If I connect WAN2, it shows up, however I cannot resolve DNS queries over WAN2. To verify this, I disconnect the WAN cable and can ping any internet IP successfully, but cannot ping google.com or yahoo.com.Test 2: I boot up pfSense with just WAN2 connected. I can get online just fine. If I connect WAN, it shows up, however I cannot resolve DNS queries over WAN. To verify this, I disconnect the WAN2 cable and can ping any internet IP successfully, but cannot ping google.com or yahoo.com.
So whichever wan is originally connected at bootup, it successfully can resolve DNS names, but the other wan connection cannot. This is going to be an issue if the primary ever fails or is lagging badly.
How do I fix this? What did I do wrong or miss?
Thanks guys!
-
What are your gateway monitor IPs? What do your static routes for the DNS IPs look like under Diag>Routes?
-
WAN Gateway Monitor IP: 75.xxx.xxx.1
WAN2 Gateway Monitor IP: 65.xxx.xxx.1See image for Diag->Routes. The first one is WAN active. The second one is WAN2 active.
-
See anything wrong there?
-
That seems to be correct, without having a more complete view of the system I can't say for sure but definitely looks fine. You'll have a route for each DNS server out the appropriate WAN. Pinging from the console, or Diag>Ping choosing LAN, to the DNS server IPs will verify you have connectivity. Trying to dig directly to each will verify DNS connectivity to them.
-
@cmb:
That seems to be correct, without having a more complete view of the system I can't say for sure but definitely looks fine. You'll have a route for each DNS server out the appropriate WAN. Pinging from the console, or Diag>Ping choosing LAN, to the DNS server IPs will verify you have connectivity. Trying to dig directly to each will verify DNS connectivity to them.
Ok, thanks. I'll look into that. Assuming I still can't get it to work, would you be willing to login to the box and take a look around?
-
Well, it's setup and working, but the fallover doesn't work, so if either dsl modem fails, the whole thing craps out. I have no idea why.
-
Allow DNS server list to be overridden by DHCP/PPP on WAN = CHECKED <– uncheck this
also you could try setting 8.8.8.8 or 8.8.4.4 as dns server without having a gateway specified (but this shouldn't be necessary)
you could try to traceroute the dns servers themselfs when you unplug either and see where it goes wrong
-
Hello KyferEz,
I have read your topic, I have the same problem as you, I tried the suggestions from the post but nothing resolved.
Have you resolved the problem?
Thanks
-
Nope. none of the suggestions helped. I think it may be a bug in the release…
-
-
-
I ran into a similar issue today when a manhole fire fried some of our fiber. The connection failed over as expected but DNS didn't.
One of the things I noticed is that you can't apparently use the same DNS servers on multiple WANs. Can someone confirm this? I'd really like to use the same DNS servers on both WANs.
Also like @KyferEz noted, although the routing shows each DNS IP associated with the appropriate gateway (Diag->Routes), the interface status (Status->Interfaces) shows all DNS IPs with the first WAN connection, which I believe might be a bug.
-
redmine.pfsense.org and report it there….
-
I don't know if this can help to "KyferEz" with his problem, but i have configured my pfSense this way, and don't have noticed DNS issues
-
@ptt Would you mind taking a screen shot of two additional pages to help confirm what I'm seeing? Diagnostics -> Routes (IPv4 table) and Status -> Interfaces. I'm curious how your four DNS servers get assigned.
-
Here the Routes SS ( DNS marked in red )
In Status -> Interfaces, all DNS servers are listed in WAN1, WAN2 doesn't show any DNS ( the "ISP DNS servers" dont even appear in WAN2 )
-
Hello,
I see the @ptt routing table, I think the dns are correct, just in my routing table.
I noticed in my pfsense machine, that the default route in Diagnostics -> Routes (IPv4 table) remains the same whatever WAN is online(I unplugged every WAN to test), maybe a problem in Gateway Groups, look in my gateway groups, I think is correct.
Also for my 2 gateways I don't check "default route" for these.
Regards
-
I didn't read this entire thread word for word but, I have seen similar issues. It seems (am I correct??) that pfSense assigns static routes to specific DNS servers if a specific gateway is selected on the General setup page. I assume this is so 'apinger' can detect if a GW is really down when pings to that monitor IP start failing instead of sending them over the other connection?? not sure. but add me to the "me too" list of people who would like to know the "correct" way to assign these values.
-
I didn't read this entire thread word for word but, I have seen similar issues. It seems (am I correct??) that pfSense assigns static routes to specific DNS servers if a specific gateway is selected on the General setup page. I assume this is so 'apinger' can detect if a GW is really down when pings to that monitor IP start failing instead of sending them over the other connection?? not sure. but add me to the "me too" list of people who would like to know the "correct" way to assign these values.
You must have at least one DNS server pointing to each WAN if you're using the DNS forwarder as your clients' DNS server. The WAN you pick sets a static route so the firewall goes out that WAN to reach that DNS server. You cannot use a single DNS server IP on more than one WAN (though I'm not sure offhand if there's input validation to prevent that, it won't work). There are exceptions to that if you get into policy routing traffic initiated by the firewall but that's more complex than what most people will get into.
If you're not using the DNS forwarder, your internal DNS servers must be going out of a failover or load balancing gateway group so you still have DNS when one fails.
Also like @KyferEz noted, although the routing shows each DNS IP associated with the appropriate gateway (Diag->Routes), the interface status (Status->Interfaces) shows all DNS IPs with the first WAN connection, which I believe might be a bug.
That's just how it's displayed, all the system's DNS servers show there.
-
@cmb
Thanks so much for that clarification. It makes sense now.
-
FINALLY FOUND THE SOLUTION TO MY PROBLEM TODAY!!!
In every guide and instruction sheet I have read for configuring multiwan, not once was there instructions that included this necessary and very important step in a way that a beginner could easily understand: Edit the default LAN rule in Firewall->Rules by clicking edit on the rule that has a row that contains "LAN net". Then change Gateway setting drop-down to whatever you named the gateway you created with the Wan1 fallover to Wan2.
Here is a link to a simple and basic working guide for multiwan setup on pfSense 2.0. The top of the guide is for 1.2, but scroll about half-way down to see the 2.0 guide: http://skear.hubpages.com/hub/Dual-Wan-Router-How-To-Build-One-On-a-Budget. Combine that info with the other guides out there for setting up traffic shaping and it works great!
Thanks!
-
The instructions for 2.0 here:
http://doc.pfsense.org/index.php/Multi-WAN_2.0Mention using the rules twice – once in the summary of required steps, and again later under "Firewall Rules"
It even mentions editing your existing rule and changing the gateway.
Not sure what doc you were reading that skipped it.
-
You misread my statement. I said it's not there in a way a beginner with pfSense can understand what to do. I did not understand what exactly was meant by those instructions (and had thus gotten it wrong) until I read the guide I linked to where the writer detailed Exactly How to create the Firewall Rules…
That step is just confusing in the 2.0 docs. (edit: likely because I'm not engrossed in large corporate network configuration daily ;) I tend to work with smaller companies with 3-10 employees, but this one had outgrown a single dsl line)
