[pfSense Support] Multiwan and DNS forwarder
First, this is the best routing product I have ever used. Ihad a box that was up and running for over two years!!! It only rebooted because of a faiure in my ups. I went ahead and updated to 1.2.3 seings as the system up time had reset anyway. Thanks for the excellent work!!! I have a Question. I use Mlti-Wan with 1 Cable modem, 1 DSL line and 1 T1 line. I setup Failover and have been very happy thus far. I am also using DNS forwarder. On each computer, PFsense assigns its own address as the DNS server. Then PF serves up the dns. My question it, what link does PF use to get its dns information. I would assume the wan link as this is the only link that it uses for package information also. If it is just the wan link and I lose that connection, will the fail-over be of any real use? It seems like without being able to update the dns, individual user will only be able to reach those sites in the cached dns table. Am i correct in this? Thank for the help. __ Information from ESET NOD32 Antivirus, version of virus signature database 5136 (20100521) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan and DNS forwarder
On Fri, May 21, 2010 at 11:38 AM, Ryan radiote...@aaremail.com wrote: First, this is the best routing product I have ever used. Ihad a box that was up and running for over two years!!! It only rebooted because of a faiure in my ups. I went ahead and updated to 1.2.3 seings as the system up time had reset anyway. Thanks for the excellent work!!! I have a Question. I use Mlti-Wan with 1 Cable modem, 1 DSL line and 1 T1 line. I setup Failover and have been very happy thus far. I am also using DNS forwarder. On each computer, PFsense assigns its own address as the DNS server. Then PF serves up the dns. My question it, what link does PF use to get its dns information. I would assume the wan link as this is the only link that it uses for package information also. If it is just the wan link and I lose that connection, will the fail-over be of any real use? It seems like without being able to update the dns, individual user will only be able to reach those sites in the cached dns table. Am i correct in this? Thank for the help. For such multi-WAN setups, I would recommend hard coding your DNS servers under System General Setup and not allowing them to be overridden. Then add a static route for one of them so it always goes out your second WAN. Make sure the server you use will answer on the WAN for which it's being used, use Google's public DNS or OpenDNS and you don't have to worry about that. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan and DNS forwarder
On Fri, May 21, 2010 at 12:07 PM, Chris Bagnall li...@minotaur.cc wrote: For such multi-WAN setups, I would recommend hard coding your DNS... ...Then add a static route for one of them so it always goes out your second WAN I agree with this entirely. It's perhaps worth mentioning here that you can improve the *perceived* speed of browsing from your users' perspective quite a bit by routing DNS queries out on a less-saturated WAN link. For example, most of the clients to whom we've supplied pfSense-based routers have at least two ADSL connections - one (or more) for general net use, and one for VoIP traffic. DNS traffic is usually sufficiently small that it doesn't affect VoIP quality, so, sending DNS queries out via the less-saturated VoIP ADSL can result in a reasonable improvement to perceived page load times. In 1.2.3 and newer, the DNS forwarder queries all configured DNS servers simultaneously and takes the first response. So if you set it up so one goes out each WAN, you'll get that benefit automatically, plus the benefit that if the other WAN responds faster, it'll take that response. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multiwan and DNS forwarder
In 1.2.3 and newer, the DNS forwarder queries all configured DNS servers simultaneously and takes the first response. That's useful to know, thanks! Regards, Chris -- For full contact details visit http://www.minotaur.it This email is made from 100% recycled electrons - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multiwan and DNS forwarder
For such multi-WAN setups, I would recommend hard coding your DNS servers under System General Setup and not allowing them to be overridden. Then add a static route for one of them so it always goes out your second WAN. Make sure the server you use will answer on the WAN for which it's being used, use Google's public DNS or OpenDNS and you don't have to worry about that. Thanks for the reply. So I go to System Static routes and add a new route. I gues I set the DNS server in the Destination Network Field with a /32 and I put the default gateway of my T1 in the Gateway field. What do i put for the interface field? I don't see an interface for the pfsense trafic itself. __ Information from ESET NOD32 Antivirus, version of virus signature database 5136 (20100521) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multiwan and DNS forwarder
-Original Message- From: Gary Buckmaster [mailto:g...@s4f.com] Sent: Friday, May 21, 2010 3:24 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multiwan and DNS forwarder Actually, the easier way to do this is to use policy routes. Create aliases called ISP1DNS and ISP2DNS and put the appropriate DNS server IPs in those two aliases. Then create firewall rules on your LAN interface(s) above any load balancing rules which will match DNS traffic to the appropriate DNS servers and select the appropriate gateway. I would think your approach would work if the end computer was requesting dns from the real dns server, not using dns forwarding. I think the DNS request does not originate from the Lan, but from the router itself. I may be wrong in this though. __ Information from ESET NOD32 Antivirus, version of virus signature database 5136 (20100521) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan and DNS forwarder
On Fri, May 21, 2010 at 4:53 PM, Ryan radiote...@aaremail.com wrote: -Original Message- From: Gary Buckmaster [mailto:g...@s4f.com] Sent: Friday, May 21, 2010 3:24 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multiwan and DNS forwarder Actually, the easier way to do this is to use policy routes. Create aliases called ISP1DNS and ISP2DNS and put the appropriate DNS server IPs in those two aliases. Then create firewall rules on your LAN interface(s) above any load balancing rules which will match DNS traffic to the appropriate DNS servers and select the appropriate gateway. I would think your approach would work if the end computer was requesting dns from the real dns server, not using dns forwarding. I think the DNS request does not originate from the Lan, but from the router itself. I may be wrong in this though. Yeah, that is correct, if you're using the DNS forwarder you must use static routes. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan and DNS forwarder
Chris Buechler wrote: On Fri, May 21, 2010 at 4:53 PM, Ryan radiote...@aaremail.com wrote: -Original Message- From: Gary Buckmaster [mailto:g...@s4f.com] Sent: Friday, May 21, 2010 3:24 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multiwan and DNS forwarder Actually, the easier way to do this is to use policy routes. Create aliases called ISP1DNS and ISP2DNS and put the appropriate DNS server IPs in those two aliases. Then create firewall rules on your LAN interface(s) above any load balancing rules which will match DNS traffic to the appropriate DNS servers and select the appropriate gateway. I would think your approach would work if the end computer was requesting dns from the real dns server, not using dns forwarding. I think the DNS request does not originate from the Lan, but from the router itself. I may be wrong in this though. Yeah, that is correct, if you're using the DNS forwarder you must use static routes. Yeah, I missed that requirement on the first read-through. Didn't mean to give you a bum steer. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multiwan and DNS forwarder
Yeah, I missed that requirement on the first read-through. Didn't mean to give you a bum steer. Thats OK. I've been running thes fail-over setup for a while and just now thought of this senario. It worked when I tested it over a year ago because i simply tested with ping. My wan went out last week and I couldn't figure out why the fail-over failed. I found out it was a failure in my design. smacks head in disgust __ Information from ESET NOD32 Antivirus, version of virus signature database 5136 (20100521) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org