Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem with policy based routing with dual wan with OpenDNS and Google DNS

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      woots29
      last edited by

      Good day,

      I'm having problems with assigning the clients for different gateways. My previous setup is:

      WAN1 -> clients group A
      WAN2 -> clients group B

      (Both WANs has static public IPs)

      Now since I find effective web filtering in using OpenDNS, I made the WAN1 Network as Filtered with OpenDNS
      and WAN2 with GoogleDNS, so I made this:

      so that clients group A have OpenDNS  and client group B have GoogleDNS
      and the problem is Clients group A sometimes doesnt filter the websites, it just lik they pass through.
      to make sure they are using the gateways, I tested with whatismyip.com , and it shows correct IP.

      Do i missing something?

      Pfsense 2.2 Amd64 (im not using squid and squidguard for the meantime, i took days configuring why doesnt work and give up. opendns for alternative)

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        There is only 1 DNS server running in pfSense. It will use all those upstream DNS servers to resolve names, whatever ones are available and answer first.
        Client group A and client group B are both using the same DNS - so they will get the same behavior. If a "bad" name happens to be resolved first by an OpenDNS server, then it will be resolved to the OpenDNS block page server. A and B clients will then get the block page for as long as the entry remains in the cache.
        If the name is resolved by Google first, then the real IP will be in the cache and A and B clients will both access the real site.

        As long as A and B groups are asking the same local DNS (like this on pfSense) then you cannot differentiate the DNS filtering that they experience.

        You could:

        • Use only OpenDNS servers from pfSense (208.67.222.222 on WAN, 208.67.220.220 on WAN2)
        • Let group A use pfSense DNS, like they do now
        • Static map each group B system and specify the Google DNS servers in the static mapped entry - thus they avoid pfSense DNS
        • Allow group B to Google DNS (TCP+UDP port 53)
        • Allow all to pfSense LAN DNS
        • Block any other DNS (to prevent group A from manually switching to Google DNS)

        Or you can do the reverse - pfSense use Google DNS, group B use pfSense DNS, group A go direct to OpenDNS.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • W
          woots29
          last edited by

          Thank you for reply, i thought it is possible to use multiple dns in each gateway.

          BTW, what is the function of having 4 dns server per gateway in that general setup? thanks

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            In a failover situation you must have upstream DNS servers configured for each gateway in order that the pfSense DNS forwarder still has access to them if one gateway goes down. If you have 4 WANs you can set one DNS server for each WAN, with 2 you can set 2 on each so that if one is unavailable there is a backup.

            Steve

            1 Reply Last reply Reply Quote 0
            • W
              woots29
              last edited by

              Thanks sir stephenw10.
              But i need help. I think i messed up the settings.

              in the dashboard:

              DNS Servers: 127.0.0.1

              wan1 and wan2 gateway IPs are missing.

              It should be showing up automatically. I forgot to backup before changing the config. ;D

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Not sure quite what you mean, screenshot?

                You can roll back config changes. See:
                https://doc.pfsense.org/index.php/Configuration_History

                Steve

                1 Reply Last reply Reply Quote 0
                • W
                  woots29
                  last edited by

                  @stephenw10:

                  Not sure quite what you mean, screenshot?

                  You can roll back config changes. See:
                  https://doc.pfsense.org/index.php/Configuration_History

                  Steve

                  I see this DNS servers in the dashboard filled up usually with IP address with l92.168.l.l and l92.l68.254.254

                  today its only one.

                  The problem in the config history is the committed settings are recorded, not the "before commit" settings. I try to find the previous downloaded backup.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    OK, so what do your DNS server settings look like in System > General Setup?

                    Looks like you may have unchecked 'Allow DNS server list to be overridden by DHCP/PPP on WAN' and also not had any servers specified.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • W
                      woots29
                      last edited by

                      @stephenw10:

                      OK, so what do your DNS server settings look like in System > General Setup?

                      Looks like you may have unchecked 'Allow DNS server list to be overridden by DHCP/PPP on WAN' and also not had any servers specified.

                      Steve

                      only the pfsense IP ( l0.0.0.l ) is entered in the general setup DNS server, the "Allow DNS server list to be overridden…" is checked.

                      but now, the DNS Servers showing in the dashboard are:

                      l27.0.0.l
                      l92.l68.l.l
                      8.8.8.8
                      8.8.4.4
                      l0.0.0.l

                      I began scratching my head  ;D

                      1 Reply Last reply Reply Quote 0
                      • W
                        woots29
                        last edited by

                        It's ok now. I've just rebooted the modems :D Thanks

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.