DNS & IPSec - What order?

  • I have two VPN connections from two different sites.  Both sites randomly report problems with connecting to resources at my office and I never have a problem accessing any from their sites.  I'm thinking the problem must be DNS related because the IPSec connections are always working properly and so are the resources at my location.

    I'm using v2.0.1 and have the following configuration listed in the general DNS section:

    The first two DNS servers are the ones in my office.  We only have a couple of users at each site and so putting in a local DNS server is a bit much.  Besides, the pfSense box can cache the DNS entries anyway.  I added the google dns servers as backup in case the vpn goes down or our dns servers were to fail.

    On the dashboard I get the following in the DNS section:

    Is there something I'm missing, order wise, entry wise, or configuration wise that would cause clients not to be able to find resources randomly?  Thanks for your time and consideration of my question.

  • Nobody?

  • With IPsec, you need this for the DNS forwarder to be able to use the remote DNS servers over the VPN.

  • Have you gotten this to work? I'm having trouble getting this working in our environment.

  • I also cannot get this to work. I can "see" the packets with a floating rule configured to log. (source: WAN IP destination: IPSec Remote Subnet) but I can't get it to use the LAN IP for pinging.

    I have logged in to the local pfSense box by SSH and pinged manually. When using ping -S LAN IP IP On Remote Side, everything works correctly. When using ping IP On Remote Side, I can see with a little help from the floating rule that a ping package sourcing from my WAN IP with the correct destination is passed. I don't see any other messages like blocks. I also cannot see anything on the other side of the VPN.

    I have tried:

    • Using a static route that points to a gateway with my LAN IP. (like the article states)
    • Using the floating rule to pass traffic to the gateway.
    • Meddling with NAT Rules

    I can't figure out why the system uses my WAN IP as ping address.

  • It seems the problem has been resolved by the few changes I made as I've had no complaints since.  What I did was change the router's (pfSense) DNS to be google's servers only ( &  Then I went into the DHCP Server settings and set the local clients to only use my DNS servers at my HQ (, etc).

    Ever since having done that, the problem has gone away.

  • The problem for me is that my IPSec connection is quite slow and untrustable and I only want to use that when a client requests a local address. Every other address should be resolved by the default dns server.

  • Joolee:

    If your connection isn't trustworthy and slow there are only two things you could do.

    1. Upgrade to a better dedicated connection.


    1. Install a local DNS server that syncs with your master DNS server over the tunnel.  It may sometimes be out of date (if the connection is down for a prolonged amount of time) but it would continue to serve requests to clients (where possible; that is if the tunnel is down the local clients cant route to remote clients, etc).

Log in to reply