DMZ with dual-WAN

  • Hello everybody,

    I would like to set up a DMZ behind a dual-WAN in failover mode.
    Each WAN corresponds to one ISP, which provided me with 2 specific pools (public IP addresses).
    For instance:
    WAN1 (preferred link): X.X.197.0/29 (GW: X.X.197.1)
    WAN2 (backup link): X.X.198.0/29 (GW: X.X.198.1)

    There are three issues:

    1. Servers in DMZ have to be reached from both links (in turns).
    2. I can only assign one IP address to some DMZ servers (IoT).
    3. Some servers in DMZ have to be reached by their name and not IP.

    Can pfSense handle this? Any ideas or advices?

    Thank you very much.
    Best regards.

  • are you trying to access the same server from the 2 wans,??
    you want your server to be accessible from 2 ips!?
    if so you need to us ddns with your domain to update the ip if on wan fails.

  • Thank you for the answer.
    Yes, I would like to access to the same server from 2 WANS (not the same IPS).
    I will learn about dynamic dns.

    However, which IP address should I assign to my server?
    Should I use a DMZ based on public or private IP addresses?
    Should I set up a NAT?

  • @Auguste sorry i didn't notice the typo, yes i think ddns would allow you to add your domain (not free) with a ip that would update according to what default wan on pfsense. you can add your ddns account on pfsense to do the ip update but i know if it's reliable (i had issues with it in the past idk now) . try it.
    or you can just setup ddns app on one of your servers or on client so that it's updates the public ip the currently active.
    i would assume that you know you need to create a failover group for your two wans.
    also look into haproxy for pfsense i don't know much about it but i might be useful to you.

    finally, for dms vs public ip. i read here it's recommended to use dms private ip and setup nat. I'm currently using this setup. you just portfl forward on the 2 wans. this
    if you only have 1 server per wan.
    if you have multiple like I'm, your ips should give public ip range then you can create Virtual IPs on pfsense and do 1:1 nat to port forward from each virtual ip to your private ip server.

  • I am also facing issue regarding these issue but mean time i can solve it with the refernce of this IP

  • LAYER 8 Moderator

    @Auguste / @Tehzie223

    Should I use a DMZ based on public or private IP addresses?

    If you want your servers in your DMZ be accessible via either WAN1 or WAN2, you have to do one of two things:

    a) if you have more than 1 IP for your WAN1/2 setup - say a /29 or bigger network segment - assign your server an address from both pools and setup it's DNS name with both IPs as A records. That would be DNS round-robin as you can't exactly steer which IP the client would take to resolve the DNS and access the client

    or more likely use

    b) assign your DMZ a RFC1918 private IP range not used anywhere else. Then setup port forwardings on the public IPs you want that server to respond to on both WAN1/WAN2 to that private IP on the DMZ. As pf NAT rules will automatically add "reply-to" cases to the rules, your traffic will go the way it came in, so if you access the service via a.b.c.d via WAN1 you'll get the answer pakets back through WAN1 to your client. If you access it via x.y.z.a via WAN2 it will work, too.

    With b) you can access it via IPs on either WAN1/2 at any time. Calling it via DNS name, you could either use a single name with both IPs as A records and have the same round-robin as in a) above or use multiple DNS names, say "myservice-1.domain.tld" and "myservice-2.domain.tld" to and link those two names to wan1/wan2 address and use it accordingly.

Log in to reply