08-14-2025 03:43 PM
Hello all,
I currently have a PA440 and I have 2 isp's, ATT and comcast which will be our backup and it's my 1st time setting this up, we are a small business of about 80 users, I already followed how to configure dual isp redundancy on the links provided here, but can't seem to get the right direction on how to get dns to work once the failover happens, currently for ATT we have a /27 network and have our dns and email using public ip's nat'd through the PA440, on another interface is our backup internet comcast which sold me 1 static ip, I tested it last week and seems like dns stops responding on my DC's that are the dns servers. So question is do I neeod to buy more static ip's from comcast, or I've also read where you can advertise your public ip to the 2nd isp for the it to work, and also read about sdwan which can be used, we have the license, is that something I can utilize using 2 isp's?
thanks in advanced for any tips and pointers.
08-14-2025 05:34 PM - edited 08-14-2025 05:38 PM
Hi @cdcirexx ,
How many services do you currently publish to the internet? Is it just email and DNS or are there plans to host additional services or applications in the future? Is that /27
Would you be open to a Managed DNS solution? This way, during a failover event, the service automatically detects that your primary AT&T link is down and instantly updates your public DNS including your MX record for email and any other records to point to Comcast.
In this scenario, depending on future growth, your single IP would work and you would just have 2 separate DNAT policies on your 440 (with respective security policies). One points to the DC and the other your mail server.
As far as advertising your own block to Comcast, this would be more expensive and might not make sense given the current size. But could be an option in the future depending on what growth is estimated to be at. For this scenario, you'd have to purchase provider-independent IPs (as the /27 you were provided by ATT is owned by ATT) and get setup with an ASN.
08-15-2025 09:32 AM
Jay,
Thanks for the response, We only have DNS and on premise email, so looks like a managed DNS solution may be what we need, also more cost effective than purchasing our own block and doing ASN, and we already use Cloudflare as our dns provider, so I just need to get the service. So besides the 440 doing failover, cloudflare also does a failover for dns of our internet facing devices.
Currently under virtual routing on the 440, it has a static route to the Comcast gw ip for next hop, and under NAT, I have the static ip from comcast assigned there and the comcast router is in pass through mode. So I would need to create 2 nat policies for DNS and email that points to the single ip from comcast. Do I need to purchase additional static IP's from comcast to use for dns and email?
Thanks again.
08-18-2025 09:44 AM
I forgot to add we also have VPN, so all together we got 3 Exchange servers, 2 DC's, and VPN that's internet facing public ip's.
08-20-2025 09:47 AM
Hello,
Unless you employ some type of external global load balancer, changing DNS records is the best way that I have found.
Regards,
08-20-2025 10:01 AM
Hi Otakar,
thanks for the response, I'm trying out the load balancer on our cloudflare, still figuring out the settings, I'm close to getting it to fully failover, ping works after the failover to the 2nd isp, but it's dns that seem to not take effect when that occurs, is there something I can do like a script to manually trigger the changeover, I've read some used a ping script or an API within cloudflare.
08-20-2025 04:31 PM
Hello @cdcirexx
I had similar project in the past to make multiple VPN Gateways publicly available with seamless automatic failure detection / failover. I found the simplest and most cost effective solution leveraging Azure Traffic Manager: traffic-manager-overview. All you have to do is to set up health monitor where you configure your publicly available endpoints. You create CNAME of your domain mapped to traffic manager DNS record tied to your health monitor. If one of your endpoint is marked as unhealthy it will be automatically taken out. The failover speed will depend on TTL setting of DNS record and aggressiveness of health probing. This solution is readily available without need for custom scripts. You can also build the same solution by using AWS's Route 53.
Kind Regards
Pavel
08-21-2025 09:49 AM
Hello Pavel,
Thanks for the that helpful tip, didn't realize MS365 has that feature, we have a tenancy, I can give it a try. Cloudflare doesn't look like it will work for me, I would have to change the DNS entry type to SRV, and doing that will remove the orange cloud where it proxies the server, it will expose the real public IP again, we've had issues with DDOS in the past so I'll avoid that setup.
08-21-2025 02:49 PM
Hello @cdcirexx
thank you for reply.
Only slight correction. Traffic Manager is not part of M365, but it is part of Azure. Here is a simple explanation how it works: How Traffic Manager Works. Your external services can be added to Traffic Manager as External Endpoints as either IPv4/IPv6 or FQDN: Traffic Manager endpoints.
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
