Problem with policy based routing with dual wan with OpenDNS and Google DNS



  • Good day,

    I'm having problems with assigning the clients for different gateways. My previous setup is:

    WAN1 -> clients group A
    WAN2 -> clients group B

    (Both WANs has static public IPs)

    Now since I find effective web filtering in using OpenDNS, I made the WAN1 Network as Filtered with OpenDNS
    and WAN2 with GoogleDNS, so I made this:

    so that clients group A have OpenDNS  and client group B have GoogleDNS
    and the problem is Clients group A sometimes doesnt filter the websites, it just lik they pass through.
    to make sure they are using the gateways, I tested with whatismyip.com , and it shows correct IP.

    Do i missing something?

    Pfsense 2.2 Amd64 (im not using squid and squidguard for the meantime, i took days configuring why doesnt work and give up. opendns for alternative)



  • There is only 1 DNS server running in pfSense. It will use all those upstream DNS servers to resolve names, whatever ones are available and answer first.
    Client group A and client group B are both using the same DNS - so they will get the same behavior. If a "bad" name happens to be resolved first by an OpenDNS server, then it will be resolved to the OpenDNS block page server. A and B clients will then get the block page for as long as the entry remains in the cache.
    If the name is resolved by Google first, then the real IP will be in the cache and A and B clients will both access the real site.

    As long as A and B groups are asking the same local DNS (like this on pfSense) then you cannot differentiate the DNS filtering that they experience.

    You could:

    • Use only OpenDNS servers from pfSense (208.67.222.222 on WAN, 208.67.220.220 on WAN2)
    • Let group A use pfSense DNS, like they do now
    • Static map each group B system and specify the Google DNS servers in the static mapped entry - thus they avoid pfSense DNS
    • Allow group B to Google DNS (TCP+UDP port 53)
    • Allow all to pfSense LAN DNS
    • Block any other DNS (to prevent group A from manually switching to Google DNS)

    Or you can do the reverse - pfSense use Google DNS, group B use pfSense DNS, group A go direct to OpenDNS.



  • Thank you for reply, i thought it is possible to use multiple dns in each gateway.

    BTW, what is the function of having 4 dns server per gateway in that general setup? thanks


  • Netgate Administrator

    In a failover situation you must have upstream DNS servers configured for each gateway in order that the pfSense DNS forwarder still has access to them if one gateway goes down. If you have 4 WANs you can set one DNS server for each WAN, with 2 you can set 2 on each so that if one is unavailable there is a backup.

    Steve



  • Thanks sir stephenw10.
    But i need help. I think i messed up the settings.

    in the dashboard:

    DNS Servers: 127.0.0.1

    wan1 and wan2 gateway IPs are missing.

    It should be showing up automatically. I forgot to backup before changing the config. ;D


  • Netgate Administrator

    Not sure quite what you mean, screenshot?

    You can roll back config changes. See:
    https://doc.pfsense.org/index.php/Configuration_History

    Steve



  • @stephenw10:

    Not sure quite what you mean, screenshot?

    You can roll back config changes. See:
    https://doc.pfsense.org/index.php/Configuration_History

    Steve

    I see this DNS servers in the dashboard filled up usually with IP address with l92.168.l.l and l92.l68.254.254

    today its only one.

    The problem in the config history is the committed settings are recorded, not the "before commit" settings. I try to find the previous downloaded backup.


  • Netgate Administrator

    OK, so what do your DNS server settings look like in System > General Setup?

    Looks like you may have unchecked 'Allow DNS server list to be overridden by DHCP/PPP on WAN' and also not had any servers specified.

    Steve



  • @stephenw10:

    OK, so what do your DNS server settings look like in System > General Setup?

    Looks like you may have unchecked 'Allow DNS server list to be overridden by DHCP/PPP on WAN' and also not had any servers specified.

    Steve

    only the pfsense IP ( l0.0.0.l ) is entered in the general setup DNS server, the "Allow DNS server list to be overridden…" is checked.

    but now, the DNS Servers showing in the dashboard are:

    l27.0.0.l
    l92.l68.l.l
    8.8.8.8
    8.8.4.4
    l0.0.0.l

    I began scratching my head  ;D



  • It's ok now. I've just rebooted the modems :D Thanks


Log in to reply