Dual Wan failover breaks DNS



  • Hello all,
    I'm trying to configure dual Wan using pfsense using new wiki http://doc.pfsense.org/index.php/MultiWanVersion1.2 but I have a problem with DNS .
    One link (I'll call it main) connected directly to the internet and has static ip address, the other (secondary) is connected through a router and has a subnet address e.g. 172.25.2.20.
    Also I decided to use ISP antagonistic IP addresses so I won't have problems with failover and the fact that I don't have ISP DNS IP. I use 4.2.2.1 and Cogent communication dns root server: 192.33.4.12

    I set up fail over and it works reasonably well except when I disable main link (or link goes down) I loose dns servers, I can still ping them, I can still ping any other server on the net, I can download web pages provided I give the browser IP address instead of dns name, but dns itself does not work.

    I tried to fix this by creating static routes to these servers where main route directs to 4.2.2.1 and secondary directs to 192.33.4.12, which doesn't really makes sense since all connections load balanced anyway, but I tried that, and it doesn't work.

    Another interesting thing is that if I add an entry to resolv.conf on a machine that is on pfsense subnet, it starts resolving dns names correctly, so there is no rouge firewall rule that blocks port 53.

    I attach one of the configs that produce this behaviour, it doesn't have static routes, but the same things happen when I have them configured.

    Any help appreciated
    config-main.local-20070727233155.xml.txt



  • Add static routes for the ISP DNS servers and associate the IP with the correct next hop gateway to force the traffic out the correct link.

    I do believe this is covered in the guide on olddoc.pfsense.com and I know it has been covered in this forum prior.



  • If you do not mind explaining, I would really like to understand your reasoning for recommending the need for static routes to make DNS work?

    DNS is just a protocol, and if IP routing is working correctly during a fail-over, why would static routes be necessary? Unless I'm not understanding something basic, then every other protocol should require static routes?

    I think there is something obvious, and would appreciate if you could share your understanding of how PfSense works.



  • Most IPSs will reject queries from outside of their networks.

    So once you failover to a alternate link without the static addresses traffic will flow through ISP A to get to ISP B's DNS server which in most cases (any good ISP does this) will block the traffic since it is not sourced from the correct network.  The static routes ensure that a request for DNS goes out the correct connection.



  • What sullrich said… but I'll add that it's because policy routing doesn't affect traffic from pfsense itself, that's why the routes are required. That may change in a future version, but is the case for the foreseeable future.



  • Now this is starting to make more sense. To summarize:

    1. Due to policy based routing, on a fail-over, all traffic will be redirected to the circuit which is available for the systems behind PfSense, but the policy does not include the traffic of PfSense at this time (v1.2beta2).

    2. If it is true that ISPs secure DNS servers to not respond to queries from outside their networks, it may be preferrable to use the Internet root DNS servers as they are reachable over either circuit. I'm not clear whether a seperate policy/firewall rules are required. Please let me know what would be necessary in this case to have PfSense provide the same routing fail-over for its own traffic.

    3. If PfSense is configured to use the DNS servers of the respective ISPs who provide the circuits, then static routes are required as ISPs may not permit DNS queries from outside their networks. I'm not familiar with FreeBSD DNS resolver, but would think that if the circuit over which the primary DNS server is queried is down, this would impact DNS resolution time as the first query would have to time out before the second DNS server is tried (assuming second is configured for reachability over the available circuit).



  • @sullrich:

    Most IPSs will reject queries from outside of their networks.

    So once you failover to a alternate link without the static addresses traffic will flow through ISP A to get to ISP B's DNS server which in most cases (any good ISP does this) will block the traffic since it is not sourced from the correct network.  The static routes ensure that a request for DNS goes out the correct connection.

    Where I find istructions to make this configuration, I don't understand how make this.



  • what if you use the public OpenDns
    208.67.222.222
    208.67.220.220

    those are free.


Log in to reply