Interface and DNS Configuration¶
The first two items to configure for Multi-WAN are Interfaces and DNS.
Setup the primary WAN as previously described in Setup Wizard. Then for the additional WAN interfaces, perform the following tasks:
Assign the interfaces if they do not yet exist
Visit the Interfaces menu entry for each additional WAN (e.g. Interfaces > OPT1)
Enable the interface
Enter a suitable name, such as
Select the desired type of IP address configuration depending on the Internet connection type.
Enter the remaining details for the type of WAN. For example, on static IP connections, fill in the IP address, subnet mask, and add or select a gateway.
DNS Server Configuration¶
If the DNS Resolver will be used in forwarding mode or if the DNS Forwarder is in use, the firewall must be configured with DNS servers from each WAN connection to ensure it is always able to resolve DNS. This is especially important if the internal network uses the firewall for DNS resolution.
If the firewall configuration only includes DNS servers from a single WAN, an outage of that WAN connection will result in a complete Internet outage regardless of policy routing configuration since DNS will no longer function.
DNS Resolver Configuration¶
The DNS Resolver can work with Multi-WAN but the exact configuration depends on the desired behavior and current settings.
If the DNS Resolver must work in its default resolver mode, such as for environments which require DNSSEC, then forwarding mode cannot be enabled. This can still function with Multi-WAN but requires using failover for the default gateway. See Managing the Default Gateway.
If the DNS Resolver can use forwarding mode, then the following procedure may be performed instead:
Set at least one DNS server per WAN under System > General Setup, as described in the next section
Check Enable Forwarding Mode under Services > DNS Resolver
Uncheck Enable DNSSEC Support
DNS Servers and Static Routes¶
When using the DNS Forwarder or the DNS Resolver in forwarding mode, the firewall uses its routing table to reach the configured DNS servers. This means without any static routes configured, it will only use the primary WAN connection to reach DNS servers. Gateways must be selected for each DNS server defined on the firewall to use the correct WAN interface to reach that DNS server. DNS servers that come from dynamic gateways are automatically routed back out the proper path. At least one gateway from each WAN should be selected where possible.
To configure the DNS server gateways:
Navigate to System > General Setup
Define at least one unique DNS server for each WAN
For each DNS server, select an appropriate gateway so it uses a specific WAN interface
The same DNS server cannot be entered more than once. Each entry must be unique.
Selecting gateways for DNS servers is required for several reasons. One, most ISPs prohibit recursive queries from hosts outside their network, hence the firewall must use the correct WAN interface when accessing DNS servers for a specific ISP. Secondly, if the primary WAN fails and the firewall does not have a gateway chosen for one of the other DNS servers, the firewall will lose all DNS resolution ability from the firewall itself. Access to DNS is lost in that situation because all DNS servers will be unreachable when the default gateway is unreachable. If the firewall is used as a DNS server for the local network, this will result in a complete failure of DNS.
When using the DNS Resolver with forwarding mode disabled, the
daemon speaks directly to the root DNS servers and other authoritative DNS
servers, which makes using such static routes and gateway assignments
impossible. In that case, configure failover for the default gateway
(Managing the Default Gateway) so that the DNS Resolver can maintain
Scaling to Large Numbers of WAN Interfaces¶
There are numerous users of pfSense® software deploying 6-12 Internet connections on a single installation. One user has 10 DSL lines because in his country it is significantly cheaper to get ten 256 Kb connections than it is one 2.5 Mb connection. That customer load balances a large number of internal machines out 10 different connections. For more information on this scale of deployment, see Multi-WAN on a Stick later in this chapter.