• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

VPN, email and webserver redundancy on multiple WANs with different IPs

Scheduled Pinned Locked Moved Routing and Multi WAN
5 Posts 4 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    deajan
    last edited by Nov 14, 2013, 2:22 PM Nov 14, 2013, 2:09 PM

    Hello,

    I'm hosting a website, have an email server and a VPN tunnel for mobile clients, all three behind a pfSense 2.1 box.
    The pfSense has 2 WAN connections, and i want to make full redundancy of everything.

    I have set two MX records of my domain to the public IPs of both WAN connections.
    I am thinking of making a dyndns entry that pfSense will update, on which both VPN and website are available.

    My thought: The dyndns entry will have a TTL of let's say 60 seconds, but dns propagation can take ages, and client dns cache can keep old addresses.

    Has anyone tried this kind of setup before ? Or have a better solution ?

    Thanks.

    NetPOWER.fr - some opensource stuff for IT people

    1 Reply Last reply Reply Quote 0
    • D
      dotdash
      last edited by Nov 19, 2013, 6:26 PM

      You can't do much with a public website, you just have to wait for cache to expire. I typically setup a secondary record for things like webmail or a vpn and just tell the end users- e.g.- If you can't hit mail.company.com for webmail, then try webmail.company.com. If you are using OpenVPN, you can have it listen on both IPs and add a custom option so it will try both IPs/URLs.

      1 Reply Last reply Reply Quote 0
      • T
        timthetortoise
        last edited by Nov 21, 2013, 7:59 PM Nov 21, 2013, 7:53 PM

        You can set up multiple A records for a single domain, that way if one's down people have at least a chance of getting to the other.

        For example, I configure all my clients for VPN with vpn.domain.com. An nslookup on vpn.domain.com returns:

        Server:        8.8.8.8
        Address:        8.8.8.8#53

        Non-authoritative answer:
        Name:  vpn.domain.com
        Address: 1.2.3.4
        Name:  vpn.domain.com
        Address: 4.3.2.1

        Sometimes it will connect to 4.3.2.1, sometimes 1.2.3.4. As long as the service is configured for each interface, it doesn't really matter which one it hits. My TTLs are set to 30 minutes, so if there's an extended outage I just pull the downed IP out of DNS and it propagates within a couple hours to 99% of my clients. When it's back up, I add it back in. There are much better solutions out there, but this is good for a quick and dirty fix.

        1 Reply Last reply Reply Quote 0
        • D
          deajan
          last edited by Feb 3, 2014, 6:33 PM

          Wow,  didn't notice the reply.
          Thank you for your method.

          NetPOWER.fr - some opensource stuff for IT people

          1 Reply Last reply Reply Quote 0
          • S
            SysIT
            last edited by Feb 4, 2014, 7:50 PM

            Good solutions, the next one would likley be a paid DNS fail over service to do this automagically!

            ¸,ø¤°`°¤ø,¸© Poor Planning On Your Part Does Not Constitute An Emergency On My Part ©¸,ø¤°`°¤ø,¸
            ¸,ø¤°`°¤ø,¸© The trouble with life is there’s no background music ©¸,ø¤°`°¤ø,¸
            ¸,ø¤°`°¤ø,¸© Life isnt short, you're just dead for too long©¸,ø¤°`°¤ø,¸

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received