failover question

[hescominsoon]

for step 5:
Step 5 - Add allow rule for DNS traffic

were does this rule go?  does it go under firewall rules for the failover interface group or do i need to add it to every other internal interface?  We are not using unbound for dns.

also can both interfaces be tier 1 with different priorities?

[tiermutter]

It would be nice if you wrote about what you are referring to.
I assume https://docs.opnsense.org/manual/how-tos/multiwan.html

The rule is placed above (before) the default allow rule on each interface that uses the gateway group.
To be honest: I never understood this rule, but never cared about as I have such a rule anyway for redirecting DNS.

What are you intended to do?
For Failover only, you need to use different tiers, where the main gateway ist the lower one.

[hescominsoon]

It would be nice if you wrote about what you are referring to.
I assume https://docs.opnsense.org/manual/how-tos/multiwan.html

The rule is placed above (before) the default allow rule on each interface that uses the gateway group.
To be honest: I never understood this rule, but never cared about as I have such a rule anyway for redirecting DNS.

What are you intended to do?
For Failover only, you need to use different tiers, where the main gateway ist the lower one.

so i need to put that rule on every interface..so all the vlan interfaces and the base interface that serves the vlans as well?
also why not set both on the same tier but on different priorities?
 yes failover only.  although i had it working earlier without adding that dns rule...so that's odd. 

[tiermutter]

As said, I never understood this DNS rule... Maybe someone other can explain it...
Gateway groups are not really neccessary for failover multi WAN, it works fine using GW priorities. With GW groups and policy based routing you are just a little more flexible for some scenarios.

[hescominsoon]

As said, I never understood this DNS rule... Maybe someone other can explain it...
Gateway groups are not really neccessary for failover multi WAN, it works fine using GW priorities. With GW groups and policy based routing you are just a little more flexible for some scenarios.

now that's interesting..no need for gateway grups..hrmm i wonder if just using gateway priorities negates that dns rule then.

[tiermutter]

Sure... Using GW groups you need policy based routing (a rule that routes all the traffic to GW group)... The note for the DNS rule states that it routes DNS to default GW, for whatever reason...

[hescominsoon]

i found a way around it..i think.  the system nameservers are quad9.  since unbound is setup i guess by default i told unbound to use the system nameservers as the default forwarders.  That should eliminate the need for that firewlal rule..i'll report back when i test it.

[hescominsoon]

nope.  dns is getting dropped at the firewall.  i tired setting up the rule and not only did it not allow dns to pass during the failover but it also blocked dns from passing when we went back to primary.  I am at a loss now.  so I am going to do the next best thing.  I am going to tell the dhcp serves to send out that the dns is 9.9.9.9 and 149.112.112.112.  when the system failed over i was able to take a endpont and modify it's dns to quad 9 and it could surf.  So somehow internal dns is not changing over when the system fails over.  I think it's that weird rule..apparently how to format it and precisely where to put it escapes me.