VPN, email and webserver redundancy on multiple WANs with different IPs



  • Hello,

    I'm hosting a website, have an email server and a VPN tunnel for mobile clients, all three behind a pfSense 2.1 box.
    The pfSense has 2 WAN connections, and i want to make full redundancy of everything.

    I have set two MX records of my domain to the public IPs of both WAN connections.
    I am thinking of making a dyndns entry that pfSense will update, on which both VPN and website are available.

    My thought: The dyndns entry will have a TTL of let's say 60 seconds, but dns propagation can take ages, and client dns cache can keep old addresses.

    Has anyone tried this kind of setup before ? Or have a better solution ?

    Thanks.



  • You can't do much with a public website, you just have to wait for cache to expire. I typically setup a secondary record for things like webmail or a vpn and just tell the end users- e.g.- If you can't hit mail.company.com for webmail, then try webmail.company.com. If you are using OpenVPN, you can have it listen on both IPs and add a custom option so it will try both IPs/URLs.



  • You can set up multiple A records for a single domain, that way if one's down people have at least a chance of getting to the other.

    For example, I configure all my clients for VPN with vpn.domain.com. An nslookup on vpn.domain.com returns:

    Server:        8.8.8.8
    Address:        8.8.8.8#53

    Non-authoritative answer:
    Name:  vpn.domain.com
    Address: 1.2.3.4
    Name:  vpn.domain.com
    Address: 4.3.2.1

    Sometimes it will connect to 4.3.2.1, sometimes 1.2.3.4. As long as the service is configured for each interface, it doesn't really matter which one it hits. My TTLs are set to 30 minutes, so if there's an extended outage I just pull the downed IP out of DNS and it propagates within a couple hours to 99% of my clients. When it's back up, I add it back in. There are much better solutions out there, but this is good for a quick and dirty fix.



  • Wow,  didn't notice the reply.
    Thank you for your method.



  • Good solutions, the next one would likley be a paid DNS fail over service to do this automagically!


Log in to reply