Incoming dual WAN (or 2-pfsense) NAT + DNS Question



  • My question involves Incoming fail-over protection for the servers behind the firewall. If 1 high-speed ISP goes down, the other is used for incoming connections. Each pfsense box contains matching nat/rules to the server(s) behind. The primary DNS server is also behind the firewall(s). A secondary DNS server is hosted off-site on a completely different network. My thought in this design is if ISP-1 goes down, DNS requests are sent to Secondary DNS-2 which contains A records pointing to ISP-2 for the domain.com.

    I see alot of discussion regarding outgoing dual wan, anyone have any good reading/network strategies for incoming dual wan + dns fail-over?

    Is the attached image network scheme worth exploring or are their better ways of achieving this? Would 2 pfsense boxes be required or perhaps 1 with 2 WAN's?

    I greatly appreciate all the input!!


  • Rebel Alliance Developer Netgate

    Without doing BGP and sharing the same IPs between both ISPs, what you want isn't really feasible.

    Some people will put a really low TTL on their DNS and switch the DNS entries when a WAN goes down, but that isn't really reliable in most scenarios. Some clients/places will cache DNS longer than desired even with a low TTL, so you may still have downtime.


Log in to reply