WAN failover DNS problem

Started by pinpoint, January 24, 2026, 04:31:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 24, 2026, 04:31:17 PM
WAN1 is my main fiber and WAN2 is netgeaer MR5200 mobile router (in passover mode)
I have also setup Unbound DNS, query forwarding is disabled, and dns server in system-settings-general are empty. Gateway switching is checked.

DNS works over WAN1, but when I disconnect WAN1 and WAN2 takes over, i can access external webpages for about 10 sec, then all new pages times out. I am able to ping external ip adresses as well as ip tv is still streaming seamlessly.

I have now spent several hours for many weeks trying to fix this but nothing seems to help. I suspect that the problem lies with Unbound DNS. When I manually change dns on my laptop to 8.8.8.8, DNS finally works but I don`t want to change to 8.8.8.8 on all may clients. I want to use my firewall DNS 192.168.50.1.

I also use Dnsmasq DNS & DHCP where DNS and gateway are directed to CARP IP on my firewall 192.168.50.1.

I setup failover by using the guide on https://docs.opnsense.org/manual/how-tos/multiwan.html as well as troubleshooting using chatgpt. I have read multiple posts here where people seem to have simlar problem.
OPNsense 25.7.11_2-amd64.

Anyone know what might be the problem?
Today at 11:53:49 AM #1
Your setup is somewhat confusing. In a normal multi-WAN setup I don't expect to use a CARP VIP anywhere.
Also you should clarify which service you intend to use for DNS resolution. Dnsmasq DNS & DHCP or Unbound DNS. Both should be able to do the job in a multi-WAN setup.

If you use unbound, do you run it in forwarding mode?

Did you state DNS servers with gateway in System: Settings: General?
Did you check "Allow DNS server list to be overridden by DHCP/PPP on WAN"?
Today at 01:22:11 PM #2
I have two opnsense servers (VM on proxmox). Both are connected to fiber isp. They are connected in CARP IP for continous internet connection when one of the servers is down for maintenance. This works perfectly. I want multi WAN setup so mobile can take over if my fiber isp is down.
I use  Dnsmasq DNS & DHCP only for DHCP and haven`t set up DNS.
Unbound forwarding mode: do you mean query forwarding? It is disabled (disabled "use system nameservers"). Network interfaces: LAN, outgoing network interfaces:all. Disabled Enable DNSSEC Support.

System: Settings: General
DNS server: all boxes are blank.Use gateway: none

Disabled "Allow DNS server list to be overridden by DHCP/PPP on WAN"
Disabled "Do not use the local DNS service as a nameserver for this system"
Enabled "Allow default gateway switching"
Today at 04:09:11 PM #3
So you have a multi-WAN HA setup. I see.

If you don't have query forwarding enabled in Unbound it, works as recursive resolver and requests the root servers directly. I'd expect, that this will also work on the mobile internet line, if you can request a certain server like 8.8.8.8. But possibly the provider redirects your DNS requests to his own DNS in fact.
You will not be able to detect this for unencrypted DNS traffic.

If that's the case, your only options will be to enable DNS query forwarding.
If you don't trust your provider, you can configure "Unbound DNS: DNS over TLS" and state certain DoT servers. Encrypted DNS cannot be redirected to any other server. In this case the DNS resolution would fail.
Print
Go Up Pages1
User actions