DMZ with dual-WAN

  • Hello everybody,

    I would like to set up a DMZ behind a dual-WAN in failover mode.
    Each WAN corresponds to one ISP, which provided me with 2 specific pools (public IP addresses).
    For instance:
    WAN1 (preferred link): X.X.197.0/29 (GW: X.X.197.1)
    WAN2 (backup link): X.X.198.0/29 (GW: X.X.198.1)

    There are three issues:

    1. Servers in DMZ have to be reached from both links (in turns).
    2. I can only assign one IP address to some DMZ servers (IoT).
    3. Some servers in DMZ have to be reached by their name and not IP.

    Can pfSense handle this? Any ideas or advices?

    Thank you very much.
    Best regards.

  • are you trying to access the same server from the 2 wans,??
    you want your server to be accessible from 2 ips!?
    if so you need to us ddns with your domain to update the ip if on wan fails.

  • Thank you for the answer.
    Yes, I would like to access to the same server from 2 WANS (not the same IPS).
    I will learn about dynamic dns.

    However, which IP address should I assign to my server?
    Should I use a DMZ based on public or private IP addresses?
    Should I set up a NAT?

  • @Auguste sorry i didn't notice the typo, yes i think ddns would allow you to add your domain (not free) with a ip that would update according to what default wan on pfsense. you can add your ddns account on pfsense to do the ip update but i know if it's reliable (i had issues with it in the past idk now) . try it.
    or you can just setup ddns app on one of your servers or on client so that it's updates the public ip the currently active.
    i would assume that you know you need to create a failover group for your two wans.
    also look into haproxy for pfsense i don't know much about it but i might be useful to you.

    finally, for dms vs public ip. i read here it's recommended to use dms private ip and setup nat. I'm currently using this setup. you just portfl forward on the 2 wans. this
    if you only have 1 server per wan.
    if you have multiple like I'm, your ips should give public ip range then you can create Virtual IPs on pfsense and do 1:1 nat to port forward from each virtual ip to your private ip server.

Log in to reply