How to make DNS lookups go to only to Tier1 link in multi-WAN failover?



  • Hi!

    I have a setup with several LANs and two WANs. The WANs are set up with failover were WAN1 is Tier1 and WAN2 is Tier2.
    I don't want any traffic to go over WAN2 before WAN1 goes down.

    When I capture traffic on WAN2 I see DNS lookups going there even if WAN1 is up. How can I make sure that "internal" traffic (DNS lookups) doesn't go out via WAN2 when WAN1 is up?

    Thanks in advance for any help!



  • The upstream DNS requests come from the DNS forwarder internally to pfSense, so they don't follow policy-routing rules that you would have on the LANs. But in a setup like yours, with just 2 WANs, you could enable System: Advanced: Miscellaneous - Allow default gateway switching. In General Setup, put the upstream DNS servers you want to use, but do not specify a gateway for them.
    It should all failover to WAN2 when WAN1 is down.
    Note: If you have 3 WANs, then there is currently no way to specify the priority order for default gateway switching. And if you have some unusual config where there is a gateway set on something that is really a LAN, then even more trouble if the system happens to switch the default gateway to the gateway on LAN.
    For 2-WAN configs, default gateway switching is predictable and should work.



  • Thanks, phil.davis.

    I already have the "Allow default gateway switching" enabled, but must try this with no gateway for the DNS-servers.

    I see now that this issue is mentioned in chapter 12 of the pfSense book:

    "In pfSense 2.0 and higher, it is now possible to direct traffic from the firewall itself into gateway groups using floating rules, allowing local services to take advantage of failover."

    Is this a better alternative? To direct DNS-requests into the gateway group with a floating rule? What then about direction, choice of interface and the "Quick" setting?



  • I have now tried this with no gateway for the DNS-servers. pfSense still send DNS-requests out on the Tier2 WAN even if Tier1 is active/available.

    Maybe this is an alternative that works:

    "In pfSense 2.0 and higher, it is now possible to direct traffic from the firewall itself into gateway groups using floating rules, allowing local services to take advantage of failover."

    ?

    What then about direction for the traffic in the rule, choice of interface and the "Quick" setting?



  • Indeed it sounds good, but I would be guessing about the settings, and the book does not actually have an example of such a rule (that would be a good addition to the book!). I have a feeling this is on the forum somewhere, but can't see it right now. Do a bit of searching and post back when you find the right answer ;)



  • Does anyone have a good guide on how to configure a Floating Rule in 2.2.x such that specific traffic FROM the firewall ITSELF (e.g.  a DNS lookup or an outbound SMTP connection on port 25 for an email alert) can be directed to use a Gateway Group?  I have struggled playing with different settings but no matter what I do it isn't working, traffic is either blocked or gets routed via the default gateway.  Testing on 2.2.5.



  • I still can't get this to work.  I am tearing out my last hair.  Floating rule just seems to be ignored.

    Here's a netstat -rn after yanking the WAN1 plug…
    I note there is no default ipv4 gateway.
    But I do have a floating rule defined for "This firewall (self)" --> tcp/udp port 53 (dns) and tcp port 2525 (smtp server) ... yet that does not function.

    Screenshots attached as well

    
    Routing tables
    
    Internet:
    Destination        Gateway            Flags      Netif Expire
    4.2.2.2            74.66.0.1          UGHS       igb2
    24.29.99.36        74.66.0.1          UGHS       igb2
    74.66.0.0/21       link#3             U          igb2
    74.66.2.133        link#3             UHS         lo0
    127.0.0.1          link#7             UH          lo0
    192.168.20.0/24    link#1             U          igb0
    192.168.20.1       link#1             UHS         lo0
    
    Internet6:
    Destination                       Gateway                       Flags      Netif Expire
    default                           fe80::217:10ff:fe88:498d%igb2 UGS        igb2
    ::1                               link#7                        UH          lo0
    2604:2000:400:4::/64              link#3                        U          igb2
    2604:2000:c00:4::/64              link#3                        U          igb2
    2604:2000:1404:b0::/64            link#1                        U          igb0
    2604:2000:1404:b0:208:a2ff:fe09:9bd1 link#1                        UHS         lo0
    2604:2000:ffc0:4::/64             link#3                        U          igb2
    2604:2000:ffc0:4:1005:cbc0:8afb:fba0 link#3                        UHS         lo0
    fe80::%igb0/64                    link#1                        U          igb0
    fe80::1:1%igb0                    link#1                        UHS         lo0
    fe80::%igb1/64                    link#2                        U          igb1
    fe80::211:22ff:fe33:4455%igb1     link#2                        UHS         lo0
    fe80::%igb2/64                    link#3                        U          igb2
    fe80::208:a2ff:fe09:9bd3%igb2     link#3                        UHS         lo0
    fe80::%lo0/64                     link#7                        U           lo0
    fe80::1%lo0                       link#7                        UHS         lo0
    ff01::%igb0/32                    2604:2000:1404:b0:208:a2ff:fe09:9bd1 U          igb0
    ff01::%igb1/32                    fe80::211:22ff:fe33:4455%igb1 U          igb1
    ff01::%igb2/32                    fe80::208:a2ff:fe09:9bd3%igb2 U          igb2
    ff01::%lo0/32                     ::1                           U           lo0
    ff02::%igb0/32                    2604:2000:1404:b0:208:a2ff:fe09:9bd1 U          igb0
    ff02::%igb1/32                    fe80::211:22ff:fe33:4455%igb1 U          igb1
    ff02::%igb2/32                    fe80::208:a2ff:fe09:9bd3%igb2 U          igb2
    ff02::%lo0/32                     ::1                           U           lo0
    
    

    floating rule (couldn't fit the whole thing on my screen, but the "HA_route" gateway is selected for this under advanced)

    alias for port 53/2525

    system-general

    gateway group



  • According to JimP (redmine #5476) getting this to work involves some fiddling with Outbound NAT. That isn't one of my strong areas. Has anyone got a working config they would be willing to share (with screenshots) of a Floating rules config that routes specific traffic originating from the Firewall (self) via a Gateway Group?



  • In Jim Pingle's last pfSense Hangout on Multi-WAN with 2.3, I am pretty sure he just outright states that it is not possible to use policy-based routing for traffic originating from the firewall itself.  So I am posting a followup question/idea :

    Would it work to install & bind the Postfix package to the "LAN" IP, and then enter this IP as the SMTP server under System > Advanced? Would the mail alerts then be subjected to NAT and thus be able to make use of Policy routes?  Maybe I will try…

    edit: nevermind.  I see at https://redmine.pfsense.org/issues/5374 that this package is basically dead in the water as of 2.3  :(


  • Rebel Alliance Global Moderator

    This thread is really OLD… But if your using a forwarder, why would you not just create normal routes to use a specific interface first.  Why would you want/need to do this in a firewall rule?

    With forwarder or smtp I would think you are using a specific or list of specific IPs.  If you create specific route for the IP you want to go to that sends it out wan1 why would it not use that, if wan1 was down wouldn't it just use whatever default route it has to try and get there because now the interface the specific route is on is down.



  • The problem I'm trying to solve is

    1. allow firewall to send out smtp alerts when either wan1 or wan2 goes down
    2. firewall has multiple "local" gateways that are not internet-facing, so I can't use the "enable default gateway switching" option


  • @jarlel:

    I have a setup with several LANs and two WANs. The WANs are set up with failover were WAN1 is Tier1 and WAN2 is Tier2.
    I don't want any traffic to go over WAN2 before WAN1 goes down.

    This looks similar to what I've described at https://forum.pfsense.org/index.php?topic=126017
    Did you find a solution for DNS using active tier only?

    If not, would you be able to test if this works for you?
    https://github.com/pfsense/pfsense/pull/3592