Multi-wan failover inbound

I’m running pfsense 22.01 on a netgate 3100. This is my home lab system.

I have a multi-wan setup with fiber ($70) as my main line and cable ($20) as my backup. I have configured the gateway groups to failover to cable when my primary fiber fails. I never notice but I feel like I have continuous connectivity to the internet. Works great on outbound queries.

I also have a web site running on one of my internal LAN servers that hosts family photos. Generally it works fine and I have a dynamic IP hooked up through digital ocean with a wildcard cert (Let’s Encrypt) that works fine. I use HAProxy for that and I have a few other servers using subdomain names.

Currently the above only works for my fiber wan connection so if it dies… no web site.

What are the tricks required to set up some kind of external DNS tracking that determines the appropriate IP address to hit from a request on my domain name. It’s like I think I need dynamic dynamic DNS service for 2 wans that can determine which one is up or down and route appropriately.

I’d like the cable IP to stand in for my fiber IP including the wildcard cert and subdomain access (managed by HAProxy) when the failover happens but maybe that’s asking too much. :wink:

What is this even called?

Any tips appreciated.


Not sure what free services offer DNS failover, but there are commercial services that do such as DNS Failover | DNS Made Easy

Closest quick web search match is:
Multiple WAN Connections — Multi-WAN Caveats and Considerations | pfSense Documentation.

" Dynamic DNS

Dynamic DNS entries can be set using a gateway group for their interface. This will move a Dynamic DNS entry between WANs in failover mode, allowing a public hostname to shift from one WAN to another in case of failure."

I believe this means the Netgate must determine one of the gateway group members has failed, and will use the standard dynamic DNS update method to update the dynamic DNS provider with the current IP address of the surviving group member WAN interface.

Caveat: I have no experience on the Netgate