pfSense Multi-WAN Configuration: Part Two

pfSense multi WAN

Configuring the DNS forwarder in pfSense 2.2.4.

In the first article, we covered some basic considerations with a multi-WAN setup. in this article, we will cover multi-WAN configuration.

First, the WAN interfaces need to be configured. You should set up the primary WAN the same way you would in a single WAN setup. Then for the OPT WAN interfaces, select either DHCP or static, depending on your Internet connection type. For static iP conncections, you will need to fill in the IP address and gateway.

Next, you need to configure pfSense with DNS servers from each WAN connection to ensure it is always able to resolve DNS. This is important, especially if your network uses pfSense’s DNS forwarder for DNS resolution. If you only use one ISP’s DNS servers, an outage of that WAN connection will result in a complete Internet outage regardless of your policy routing configuration.

pfSense uses its routing table to reach the configured DNS servers. This means without any static routes configured, it will use only the primary WAN interface to reach DNS servers. Static routes must be configured for any DNS server on an OPT WAN interface to reach that DNS server. Static routes must be configured for any DNS server on an OPT WAN interface, so pfSense uses the correct WAN interface to reach that DNS server.

This is required for two reasons. [1] Most ISPs prohibit recursive queries from hosts outside their network. Thus, you must use the correct WAN interface to access that ISP’s DNS server. [2] If you lose your primary WAN interface and do not have a static route defined for one of your other DNS servers, you will lose all DNS resultion ability in pfSense, since all DNS servers will be unreachable when the system’s default gateway is unreachable. If you are using pfSense as your DNS server, this will result in a complete failure of DNS for your network.

pfSense Multi-WAN: Static IPs vs. Dynamic IPs

A setup that has all static IPs on the WAN interfaces is easy to handle, as each WAN has a gateway IP that will not change. Dynamic IP WAN interfaces, on the other had, pose difficulties because their gateway is subject to change and static routes in pfSense must point to a static IP address. This usually is not a major problem, since only the IP address changes while the gateway remains the same. If your OPT WAN public IP changes subnets (and therefore gateways) frequently, use of the DNS forwarder in pfSense is not an acceptable solution for redundant DNS servcies; you will still have no reliable means of reaching a DNS server over anything other than the WAN interface.

pfSense multi-WAN

Configuring DNS servers with multiple WAN interfaces in pfSense 2.2.4.

With dynamic IP WANs, you have two alternatives. Because traffic from the inside networks is policy routed by your firewall rules, it is not subject the the limitation of requiring static routes. You can either use DNS servers on the Internet on all your internal systems, or use a DNS server or forwarder on your internal network. As long as DNS requests are initiated from inside your network and not on the firewall itself (as it is in the case of the DNS forwarder), static routes are not required and have no effect on traffic initiated inside your network when using policy routing.

A second option to consider is using one of your DNS server IPs from each Internet connection as the monitor IP for that connection. This will automatically add the appropriate static routes for each DNS server.

If you have a mix of statically and dynamically addressed WAN interfaces, then the primary WAN should be one of your dynamic IP WANs, as static routes are not required for DNS servers on the primary WAN interface.

The image on the right shows separate DNS servers with a multi-WAN setup in pfSense. In System -> General Setup, you can enter the DNS servers, and you can select the gateway used with the selected DNS server in the dropdown box on the right. As you can see, I have selected different WAN interfaces for each of the DNS servers, so the two WAN interfaces (WAN and WAN1) are not dependent on the same DNS server.


External Links:

Network Load Balancing on Wikipedia

DNS Tools: Configuring DNS Forwarding in pfSense

DNS Forwarding: A Useful DNS Tool

A DNS forwarder is a DNS tool which enables a network to skip the normal DNS resolution process and instead forward certain DNS requests to specified DNS servers, asking them to do the resolution work for it. Under pfSense, the DNS forwarder allows pfSense to act as a DNS server with a number of different features. It is a useful DNS tool in that it allows pfSense to resolve DNS requests using hostnames obtained by DHCP service, static DHCP mappings, or manually entered information. The DNS forwarder can also forward all DNS requests for a particular domain to a server specified manually.

DNS Tools: Configuring Common DNS Forwarding Options

DNS tools

Configuring DNS forwarding in pfSense 2.1

Like most DNS tools, some configuration is required. To configure the DNS forwarder, first navigate to Services -> DNS Forwarder. Check the “Enable DNS forwarder” check box. If you check “Register DHCP leases in DNS forwarder“, then matches that specify their hostname when requesting a DHCP lease will be registered in the DNS forwarder, so that their name can be resolved (these are the hosts that appear in the list at Status -> DHCP Leases or, if it is an IPv6 address, DHCPv6 Leases). If “Register DHCP static mappings in DNS Forwarder” is checked, then DHCP static mappings will be registered in the DNS forwarder (these hosts are found by navigating to Services -> DHCP Server and scrolling down to “DHCP Static Mappings for this interface“).

At “Host Overrides“, (near the bottom of the page) specify individual hosts to be served as DNS records by clicking the “plus” button to add a record. Devices in this list are checked first, so even if a record exists elsewhere, the record here takes precedence and is immediately returned. Scrolling even further down the page and just below “Host Overrides“, you will see the “Domain Overrides” section. Here you can specify a DNS server for a particular domain by clicking the “plus” button to add a record. These records are checked immediately after the individual records are defined above. Thus, a match here will take precedence over records that may exist elsewhere.

Configuring Additional Options

DNS tools

Additional options of the DNS Forwarder under pfSense 2.1

As with most DNS tools, here are some other options available. If you check “Resolve DHCP mappings first“, then DHCP mappings will be resolved before the list specified in “Host Overrides“. This only affects the name given for a reverse lookup. As of pfSense 2.1, the “DNS Query Forwarding” subsection contains three options. Checking “Query DNS servers sequentially” causes pfSense DNS Forwarder (dnsmasq) to query the DNS servers sequentially in the order specified at System -> General Setup under the DNS Servers tab, rather than all at once in parallel. Checking the “Require domain” checkbox will prevent DNS Forwarder from forwarding A or AAAA queries for plain names (without dots or domain parts) to upstream name servers. If the name is not known from /etc/hosts or DHCP, then a “not found” answer is returned. Finally, checking “Do not forward private reverse lookups” prevents DNS forwarder from forwarding reverse DNS lookups for private addresses (those defined as such in RFC 1918) to upstream name servers. Any entries in the “Domain Overrides” section forwarding “” private names to a specific server are still forwarded. If the IP to name is not known from /etc/hosts, DHCP or a specific domain override, then a “not found” answer is returned.

At “Listen Port“, you can specify a port used for responding to DNS queries (the default is 53), which is useful if another service needs to bind to TCP/UDP port 53. Under “Interfaces“, you can choose the IPs that will be used by the DNS Forwarder for responding to queries from clients. The default behavior is to respond to queries on every available IPv4 and IPv6 address. Each interface is listed twice; e.g. “WAN” and “WAN IPv6 Link-Local“; thus you can limit responses to those clients on a specific interface or clients on a specific interface with an IPv6 address. “Localhost” is also an option. If you check “Strict Interface Binding“, the DNS Forwarder will only bind to the interfaces containing the iP addresses selected in the “Interfaces” list box. This option does not work with IPv6. Finally, under “Advanced” you can enter any additional options you would like to add to the dnsmasq configuration, separated by a space or newline.

When you’re done configuring options in this section, press the “Save” button to save the changes, and on the next screen, press the “Apply changes” button.

External Links:

Undersanding DNS Forwarding at

DNS Forwarder at

Link Ads:

DHCP Server Configuration in pfSense


pfSense’s DHCP configuration page in the web GUI.

In the first four parts, I covered installation and setup from the LiveCD, general configurations in the web GUI, WAN and LAN configuration, and setting up a DMZ. In this part, I cover setting up a DHCP server within pfSense. In many scenarios, you will want your pfSense router to also act as a DHCP server. In this case, pfSense’s DHCP service will assign an IP address to any client who requests one.

To configure the DHCP server, go to Services -> DHCP Server. Choose the interface on which the DHCP Server will be active (in this case, I chose LAN). Check “Enable DHCP server on LAN interface“. The next option is “Deny Unknown Clients“. Enabling this option ensures that only clients with static DHCP mappings will receive an IP address. DHCP requests from all other clients will be ignored. If you enable this option, you will have to enter the static DHCP mappings at the bottom of the settings page. Static DHCP mappings will be covered in the next article.

Next, at “Range“, choose a range of IP addresses for DHCP clients to use. THe range must be contiguous and within the available range listed above “Range“.

The next setting is “WINS Servers“. WINS stands for Windows Internet Name Service, which is used to map NetBIOS names to IP addresses on Windows-based systems. Unless you are running a WINS server, you can leave this field blank. Next is “DNS Servers“. Here you can specify any DNS server to be automaticaly assigned to your DHCP clients. If left blank, pfSense will automatically assign DNS servers to your clients on one of the following two ways:

  • If DNS Forwarder is enabled, then the IP address of the interface is used. This is because the DNS Forwarder turns the pfSense machine into a DNS server, so the IP of the pfSense machine is assigned to each client.
  • If DNS Forwarder is not enabled, then the DNS servers entered on the “General Setup” page are used. And if “Allow DNS server list to be overridden by DHCP/PPP on WAN” is enabled in “General Setup”, then the DNS servers obtained through the WAN will be used instead.

The next option is “Gateway“. The interface gateway will be provided to clients by default (the static IP of the interface), but it can be overridden here if necessary.The domain name specified in the General Setup is used by default, but you can specify an alternative under “Domain Name”.

An alternative lease time can be specified under “Default Lease Time” for clients who do not request a specific expiration time. For those who request a specific expiration time, you can set an alternative under “Maximum Lease Time“.

CARP-configured systems can specify a fail-over IP address under “Failover Peer IP“. Enabling “Static ARP” will only allow clients with DHCP mappings to communicate with the firewall on this interface. Unknown clients will still receive an IP address from the DHCP server, but communication to the firewall will be blocked. [This differs from “Deny Unknown Clients“, where unknown clients won’t get an IP address.]

Dynamic DNS” enables clients to automatically register with the Dynamic DNS domain specified. Under “Additional BOOTP/DHCP Options” allows you to enter custom DHCP options.

Press the “Save” button to save the changes, and press the “Apply” button to apply changes, if necessary.

By now, your DHCP server should be up and running and ready to accept clients. In the next article, I will cover static DHCP mappings.

DHCP Configuration External Links:

DHCP server documentation at
BOOTP/DHCP options

© 2013 David Zientara. All rights reserved. Privacy Policy