I finished setting up High Availability on my network.
The fallback works as expected when the main pfSense goes offline.
An issue that I’m encountering is DNS resolution on the backup pfSense.
Whenever the second pfSense takes over as the main, I am unable to resolve any DNS to the internet. I am able to ping 1.1.1.1 without any issue, and even ping google.com without any issue, at the moment of googling anything I am hit with a DNS page error.
System/General Setup/DNS Server Settings
1.1.1.1
8.8.8.8
I should’ve been more specific. I am able to ping from pfsense2 to 1.1.1.1 and google.com. I am unable to ping 1.1.1.1 or google.com from my end user (laptop).
The DHCP status of the device appears as active in the backup pfsense. And in the end user running “ipconfig /all” I can see that the DHCP Server changes to the IP of the backup pfsense
Both apply. I am currently troubleshooting my Guest network, which uses DNS Resolver in pfSense. My other VLANs use Active Directory->PiHole.
I finished some more troubleshooting just now. It seems that if under Services/DHCP Server/VLAN/DNS servers I substitute the VLAN CARP IP 192.168.100.1 for an external IP 1.1.1.1 the DNS error gets fixed and browsing works.
This just makes me wonder why the VLAN CARP IP 192.168.100.1 does not work. I would think that this IP would point to pfSense DNS set up under System/General Setup/DNS (Which are 1.1.1.1 and 8.8.8.8)
When pfSense1 is Master:
pfSense1 router can ping 192.168.40.1
End user laptop can ping 192.168.40.1 (can browse without an issue)
pfSense2 cannot ping to 192.168.40.1
When pfSense2 is Master:
pfSense1 router is down
End user laptop cannot ping 192.168.40.1 (Cannot ping or browse anything)
pfSense2 router can ping 192.168.40.1
A topology map would be helpful for the wan and lan of the PFSense devices and the device that cannot ping it. It sounds like you have a route when the primary is up but do not when it is down.
I’m not sure how accurate this information is but in one of netgate youtube videos, they mention to delete outbound NAT if DMZ is enabled. [Minute 39:30]. He does not expand more on why, but this is the only information I’ve been able to gathered that is similar to my setup.
To follow my prior post. I deleted the Outbound rules for this specific VLAN and left them at default. DNS resolution is working now whenever pfSense2 becomes master.
This is what I have (No router between Comcast Modem and the pfSense firewalls). Both pfSense firewalls are connected directly to the modem as the it has six ethernet pots. The DMZ and internal IPv4 is also setup in Comcast modem.
Yes, both pfSense are using /24 subnet masks for CARP.
Without the outbound NAT configured to the CARP WAN IP, all VLANS are able to resolve DNS.
The only issue here now is about port forwarding rules. All port forwards have been changed to the WAN CARP IP. However, if a single VLAN happens to fail and pfSense2 becomes master only for that VLAN (Let’s say VOIP), the port forwards will still apply to pfSense1 as long as the device WAN is operational, and not pfSense2 where the VLAN is master. This causes incoming call issues
