Netgate is offering COVID-19 aid for pfSense software users, learn more.

Interface and DNS Configuration

The first two items to configure for Multi-WAN are Interfaces and DNS.

Interface Configuration

Setup the primary WAN as previously described in Setup Wizard. Then for the additional WAN interfaces, perform the following tasks:

  • Assign the interfaces if they do not yet exist

  • Visit the Interfaces menu entry for each additional WAN (e.g. Interfaces > OPT1)

  • Enable the interface

  • Enter a suitable name, such as WAN2

  • Select the desired type of IP address configuration depending on the Internet connection type.

  • Enter the remaining details for the type of WAN. For example, on static IP connections, fill in the IP address, subnet mask, and add or select a gateway.

DNS Server Configuration

If the DNS Forwarder is in use, or if the DNS Resolver will be used in forwarding mode, pfSense® must be configured with DNS servers from each WAN connection to ensure it is always able to resolve DNS. This is especially important if the internal network uses the firewall for DNS resolution.

If the DNS servers from only a single WAN are used, an outage of that WAN connection will result in a complete Internet outage regardless of policy routing configuration since DNS will no longer function.

DNS Resolver Configuration

The DNS Resolver can work with Multi-WAN but the exact configuration depends on the desired behavior and current settings.

If DNSSEC must be used and the configured DNS servers do not support DNSSEC, then forwarding mode cannot be enabled. This can still function with Multi-WAN but requires Default Gateway Switching. See Default Gateway Switching.

If DNSSEC is not a requirement for this firewall, or the configured DNS servers support DNSSEC, then the following procedure may be performed instead:

  • Set at least one DNS server per WAN under System > General Setup, as described in the next section.

  • Check Enable Forwarding Mode under Services > DNS Resolver

  • Uncheck Enable DNSSEC Support if the configured upstream DNS servers do not support DNSSEC

DNS Servers and Static Routes

When using the DNS Forwarder or the DNS Resolver in forwarding mode, pfSense uses its routing table to reach the configured DNS servers. This means without any static routes configured, it will only use the primary WAN connection to reach DNS servers. Gateways must be selected for each DNS server defined on the firewall so pfSense will use the correct WAN interface to reach that DNS server. DNS servers that come from dynamic gateways are automatically routed back out the proper path. At least one gateway from each WAN should be selected where possible.

To configure the DNS server gateways:

  • Navigate to System > General Setup

  • Define at least one unique DNS server for each WAN (up to four).

  • For each DNS server, select an appropriate gateway so it uses a specific WAN interface


The same DNS server cannot be entered more than once. Each entry must be unique.

Selecting gateways for DNS servers is required for several reasons. One, most ISPs prohibit recursive queries from hosts outside their network, hence the firewall must use the correct WAN interface when accessing DNS servers for a specific ISP. Secondly, if the primary WAN fails and the firewall does not have a gateway chosen for one of the other DNS servers, the firewall will lose all DNS resolution ability from the firewall itself. Access to DNS is lost in that situation because all DNS servers will be unreachable when the default gateway is unreachable. If pfSense is used as a DNS server for the local network, this will result in a complete failure of DNS.

When using the DNS Resolver with forwarding mode disabled, the unbound daemon speaks directly to the root DNS servers and other authoritative DNS servers, which makes using such static routes and gateway assignments impossible. In that case, Default Gateway Switching is required so that the unbound daemon can maintain outbound connectivity.

Scaling to Large Numbers of WAN Interfaces

There are numerous pfSense users deploying 6-12 Internet connections on a single installation. One pfSense user has 10 DSL lines because in his country it is significantly cheaper to get ten 256 Kb connections than it is one 2.5 Mb connection. That customer uses pfSense to load balance a large number of internal machines out 10 different connections. For more information on this scale of deployment, see Multi-WAN on a Stick later in this chapter.