Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN, email and webserver redundancy on multiple WANs with different IPs

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deajan
      last edited by

      Hello,

      I'm hosting a website, have an email server and a VPN tunnel for mobile clients, all three behind a pfSense 2.1 box.
      The pfSense has 2 WAN connections, and i want to make full redundancy of everything.

      I have set two MX records of my domain to the public IPs of both WAN connections.
      I am thinking of making a dyndns entry that pfSense will update, on which both VPN and website are available.

      My thought: The dyndns entry will have a TTL of let's say 60 seconds, but dns propagation can take ages, and client dns cache can keep old addresses.

      Has anyone tried this kind of setup before ? Or have a better solution ?

      Thanks.

      NetPOWER.fr - some opensource stuff for IT people

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        You can't do much with a public website, you just have to wait for cache to expire. I typically setup a secondary record for things like webmail or a vpn and just tell the end users- e.g.- If you can't hit mail.company.com for webmail, then try webmail.company.com. If you are using OpenVPN, you can have it listen on both IPs and add a custom option so it will try both IPs/URLs.

        1 Reply Last reply Reply Quote 0
        • T
          timthetortoise
          last edited by

          You can set up multiple A records for a single domain, that way if one's down people have at least a chance of getting to the other.

          For example, I configure all my clients for VPN with vpn.domain.com. An nslookup on vpn.domain.com returns:

          Server:        8.8.8.8
          Address:        8.8.8.8#53

          Non-authoritative answer:
          Name:  vpn.domain.com
          Address: 1.2.3.4
          Name:  vpn.domain.com
          Address: 4.3.2.1

          Sometimes it will connect to 4.3.2.1, sometimes 1.2.3.4. As long as the service is configured for each interface, it doesn't really matter which one it hits. My TTLs are set to 30 minutes, so if there's an extended outage I just pull the downed IP out of DNS and it propagates within a couple hours to 99% of my clients. When it's back up, I add it back in. There are much better solutions out there, but this is good for a quick and dirty fix.

          1 Reply Last reply Reply Quote 0
          • D
            deajan
            last edited by

            Wow,  didn't notice the reply.
            Thank you for your method.

            NetPOWER.fr - some opensource stuff for IT people

            1 Reply Last reply Reply Quote 0
            • S
              SysIT
              last edited by

              Good solutions, the next one would likley be a paid DNS fail over service to do this automagically!

              ¸,ø¤°`°¤ø,¸© Poor Planning On Your Part Does Not Constitute An Emergency On My Part ©¸,ø¤°`°¤ø,¸
              ¸,ø¤°`°¤ø,¸© The trouble with life is there’s no background music ©¸,ø¤°`°¤ø,¸
              ¸,ø¤°`°¤ø,¸© Life isnt short, you're just dead for too long©¸,ø¤°`°¤ø,¸

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.