First of all, I am a complete noob to OPNsense and Networking . I have only been using it for a couple of weeks. My aim is to have two WAN networks for failover. WAN 1 is a HFC DHCP connection. The second is a PPPoE FTTP. Both are within a Gateway Group with WAN 1 being the Primary gateway (tier 1).
My problem is when the Primary connection is disabled WAN 2 takes over and works great, but when WAN 1 recovers it appears to loose DNS functionality. I can ping google.com no problem but anything that needs DNS does not work.
When this happens, I have to run the System Wizard to fix it with default settings in order to get WAN 1 working again.
I have also found that when I try different settings within interfaces and save that also breaks DNS on WAN 1. Even if I change a setting save and then undo the setting changed, WAN 1 does not work with DNS.
Another thing I have noticed is that despite setting the DNS IP addresses 1.0.0.1 and 1.1.1.1 in System: Settings: General, all DNS queries go to the default ISP DNS servers. Could this be the problem?
Quote from: RavenLunatic on July 03, 2024, 10:43:25 AM
...
Another thing I have noticed is that despite setting the DNS IP addresses 1.0.0.1 and 1.1.1.1 in System: Settings: General, all DNS queries go to the default ISP DNS servers. Could this be the problem?
DNS needs to be setup for _each_ gateway:
https://docs.opnsense.org/manual/how-tos/multiwan.html#step-3-configure-dns-for-each-gateway
Thanks for the reply, I have checked that I have DNS set up for both WAN's. I did not see the bit where you have to edit the LAN firewall rules. I have now done that but I am getting an error in my browser as follows:
A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname. You can disable this check if needed under System: Settings: Administration.
It looks like the DNS is doing something new but I do not know how to proceed.
Can anyone help?
I disabled DNS Rebind check and now all my internet traffic is diverted to 192.168.1.1 which is my OPNsense log in address (not in a good way every website is directed to the OPNsense log in page).
Quote from: RavenLunatic on July 03, 2024, 04:38:31 PM
...
I disabled DNS Rebind check and now all my internet traffic is diverted to 192.168.1.1 which is my OPNsense log in address.
The important part is trying to understand what a WAN failover does with your (default) routing table and how that affects DNS lookups for both your clients AND OPNsense itself.
Are you using Unbound ? If so, did you read (and applied) the last note in step 5 ?
DNS Rebind protection doesn't do anything with routing, so if you experiencing routing issues (towards 192.168.1.1 ?!?!), it's probably some wrong rule, not the DNS rebind protection option.
https://docs.opnsense.org/manual/settingsmenu.html#web-gui
I decided to start over and reset to defaults.
It appears I had used the wrong gateway for my primary WAN. OPNsense created 2 WAN interfaces, one called WAN which has my external IP address and another called WAN_GW with a slightly different IP address.
The interface called WAN no longer shows in the WAN Gateway as an option so I had to use WAN_GW. And low and behold everything seams to work now with one exception...
When I use DNS leak test it still shows my ISP's DNS servers and not the Cloudflare 1.1.1.1 and 1.0.0.1 that I have specified in System : General : for both WAN Gateway connections.
Can anyone advise why that would be?
Quote from: RavenLunatic on July 03, 2024, 08:08:40 PM
It appears I had used the wrong gateway for my primary WAN. OPNsense created 2 WAN interfaces, one called WAN which has my external IP address and another called WAN_GW with a slightly different IP address.
WAN is an Interface, WAN_GW the gateway of that Interface
Quote
When I use DNS leak test it still shows my ISP's DNS servers and not the Cloudflare 1.1.1.1 and 1.0.0.1 that I have specified in System : General : for both WAN Gateway connections.
Can anyone advise why that would be?
DNS Server Options
https://docs.opnsense.org/manual/settingsmenu.html#general
I am very new to networking and I don't know the difference between a interface and a gateway. Its been a very interesting journey!
I have DNS Server options unticked and it still does it.
I have found a how to on another part of the forum https://forum.opnsense.org/index.php?topic=9245.msg41626#msg41626 (https://forum.opnsense.org/index.php?topic=9245.msg41626#msg41626) So I will try and work through that. Ultimately it does not matter which DNS its using as long as it works. It just doesn't seam to work as I expected.
Thanks all for the help. I will probably be back for more help soon.
Quote from: RavenLunatic on July 03, 2024, 10:00:24 PM
I am very new to networking and I don't know the difference between a interface and a gateway.
We all started from scratch, but you might want to take a step back if you're at this stage. Multi WAN shouldn't be your focus IMHO, take your journey step-by-step and try to UNDERSTAND everything you're doing and/or going to do.
Quote
I have found a how to on another part of the forum https://forum.opnsense.org/index.php?topic=9245.msg41626#msg41626 (https://forum.opnsense.org/index.php?topic=9245.msg41626#msg41626) So I will try and work through that.
There are multiple valid scenarios to use the config described in this post, yours isn't... You should get familiar with a basic (correct) OPNsense configuration which should "solve" all the problems you described, especially when you're on a "journey".
Quote
Ultimately it does not matter which DNS its using as long as it works. It just doesn't seam to work as I expected.
Well, it's you who's mentioning a DNS leak... 8) With the correct OPNsense configuration (and without redirecting all DNS requests) this is perfectly doable, again, step-by-step...