WAN failover and loss of DNS functionality [Solved]

[RavenLunatic]

First of all, I am a complete noob to OPNsense and Networking . I have only been using it for a couple of weeks. My aim is to have two WAN networks for failover. WAN 1 is a HFC DHCP connection. The second is a PPPoE FTTP. Both are within a Gateway Group with WAN 1 being the Primary gateway (tier 1).

My problem is when the Primary connection is disabled WAN 2 takes over and works great, but when WAN 1 recovers it appears to loose DNS functionality.   I can ping google.com no problem but anything that needs DNS does not work.
When this happens, I have to run the System Wizard to fix it with default settings in order to get WAN 1 working again.

I have also found that when I try different settings within interfaces and save that also breaks DNS on WAN 1. Even if I change a setting save and then undo the setting changed, WAN 1 does not work with DNS.
Another thing I have noticed is that despite setting the DNS IP addresses 1.0.0.1 and 1.1.1.1 in System: Settings: General, all DNS queries go to the default ISP DNS servers. Could this be the problem?

[netnut]

...
Another thing I have noticed is that despite setting the DNS IP addresses 1.0.0.1 and 1.1.1.1 in System: Settings: General, all DNS queries go to the default ISP DNS servers. Could this be the problem?

DNS needs to be setup for _each_ gateway:

https://docs.opnsense.org/manual/how-tos/multiwan.html#step-3-configure-dns-for-each-gateway

[RavenLunatic]

Thanks for the reply, I have checked that I have DNS set up for both WAN's. I did not see the bit where you have to edit the LAN firewall rules.  I have now done that but I am getting an error in my browser as follows:

A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname. You can disable this check if needed under System: Settings: Administration.

It looks like the DNS is doing something new but I do not know how to proceed.

Can anyone help?

I disabled DNS Rebind check and now all my internet traffic is diverted to 192.168.1.1 which is my OPNsense log in address (not in a good way every website is directed to the OPNsense log in page).

[netnut]

...
I disabled DNS Rebind check and now all my internet traffic is diverted to 192.168.1.1 which is my OPNsense log in address.

The important part is trying to understand what a WAN failover does with your (default) routing table and how that affects DNS lookups for both your clients AND OPNsense itself.

Are you using Unbound ? If so, did you read (and applied) the last note in step 5 ?

DNS Rebind protection doesn't do anything with routing, so if you experiencing routing issues (towards 192.168.1.1 ?!?!), it's probably some wrong rule, not the DNS rebind protection option.

https://docs.opnsense.org/manual/settingsmenu.html#web-gui

[RavenLunatic]

I decided to start over and reset to defaults. 

It appears I had used the wrong gateway for my primary WAN.  OPNsense created 2 WAN interfaces, one called WAN which has my external IP address and another called WAN_GW with a slightly different IP address.

The interface called WAN no longer shows in the WAN Gateway as an option so I had to use WAN_GW.  And low and behold everything seams to work now with one exception... 

When I use DNS leak test it still shows my ISP's DNS servers and not the Cloudflare 1.1.1.1 and 1.0.0.1 that I have specified in System : General :  for both WAN Gateway connections.

Can anyone advise why that would be?

[netnut]

It appears I had used the wrong gateway for my primary WAN.  OPNsense created 2 WAN interfaces, one called WAN which has my external IP address and another called WAN_GW with a slightly different IP address.

WAN is an Interface, WAN_GW the gateway of that Interface

When I use DNS leak test it still shows my ISP's DNS servers and not the Cloudflare 1.1.1.1 and 1.0.0.1 that I have specified in System : General :  for both WAN Gateway connections.

Can anyone advise why that would be?

DNS Server Options

https://docs.opnsense.org/manual/settingsmenu.html#general

[RavenLunatic]

I am very new to networking and I don't know the difference between a interface and a gateway. Its been a very interesting journey!

I have DNS Server options unticked and it still does it.

I have found a how to on another part of the forum https://forum.opnsense.org/index.php?topic=9245.msg41626#msg41626 So I will try and work through that.  Ultimately it does not matter which DNS its using as long as it works.  It just doesn't seam to work as I expected.

Thanks all for the help. I will probably be back for more help soon.

[netnut]

I am very new to networking and I don't know the difference between a interface and a gateway.

We all started from scratch, but you might want to take a step back if you're at this stage. Multi WAN shouldn't be your focus IMHO, take your journey step-by-step and try to UNDERSTAND everything you're doing and/or going to do.

I have found a how to on another part of the forum https://forum.opnsense.org/index.php?topic=9245.msg41626#msg41626 So I will try and work through that. 

There are multiple valid scenarios to use the config described in this post, yours isn't... You should get familiar with a basic (correct) OPNsense configuration which should "solve" all the problems you described, especially when you're on a "journey".

Ultimately it does not matter which DNS its using as long as it works.  It just doesn't seam to work as I expected.

Well, it's you who's mentioning a DNS leak...  8) With the correct OPNsense configuration (and without redirecting all DNS requests) this is perfectly doable, again, step-by-step...