Mutli WAN and DNS Question

  • We finally set-up our box for dual wan fail-over. All seems to work, however, will the default gateway also switch during "member down"?

    Also, within System >> General Setup, our DNS servers are Google DNS, but connect using one of the WAN gateways. Does it make sense to create four entries to different gateways? For example: use Gateway 1 use Gateway 1 use Gateway 2 use Gateway 2

  • For the default gateway to switch, enable System:Advanced:Miscellaneous "Enable default gateway switching". In a simple 2-WAN configuration it works, because the "other" possible gateway is only 1. In more complicated setups (3 or more WAN, other gateways with static routes to reach private places…) there is no way to tell it which gateway/s are allowed for switching so you cannot really control it.

    For DNS I put 1 DNS server to each WAN gateway. Not sure what will happen if you list a DNS server multiple times in General Setup.

  • Phil, thank you. That cleared things up quite a bit.

    I noticed the following within that setting:

    This is not enabled by default, as it's unnecessary in most all scenarios, which instead use gateway groups.

    I made the change anyway, because it makes sense. However does having a gateway group override this setting then?

  • Traffic that matches rules with a gateway group specified will go out according to the gateway group tier level/s.
    Other traffic that matches pass rules with no gateway group specified goes to the ordinary routing table - and thus goes out the default gateway (unless to other directly-connected networks, static routes…).
    If all your "real" user traffic is matched by rules with gateway groups, then default gateway switching is mostly useful just for traffic from pfSense itself - when the default gateway is down it switches to another gateway and you can still download packages, do an upgrade...

  • In my experience you absolutely must enable the "Enable default gateway switching" option if you wish to receive email alerts from pfSense about Gateway failures. Unless I have missed something, policy rules are not applied to traffic coming from pfSense itself.  So, even if you have routing groups set up, they will be ignored for SMTP alerts from the router and so if the primary GW goes down, you won't get an alert unless pfS can switch its default GW.

Log in to reply