Balance Two Externality

I am evaluating Balance Two’s for a large scale deployment. All locations require external access through the Balance Two via port addressing to specific devices. Each will have 2 ISP’s providing 5 static IP addresses. I was going to have WAN 1 set to always on and WAN2 set to Backup for Fail-over. Problem is loss of ability to remote into the PCs with loss of WAN1.
Any suggestions would be appreciated.

Would listing all the ip addresses for both WANs in the additional public IP section of the WAN configuration settings of both WAN1 and WAN2 help?

Inbound access can be configured using both WAN links. You are correct the additional public IPs need to be added in the WAN configuration settings for both WAN1 and WAN2 as well.

1 Like

How large a scale?

Continuous access or only on demand when needed?

Because remote access is IP dependent? Two approaches, there is the mypep.link DNS service which is included in the IC2 subscription. This lets you have a mydevice.mypep.link dns name that is updated with the current active WAN IPs, so when WAN1 fails over you’ll still get remote access via WAN2 using that same dns name.

Or do what I do with large scale (300+ site) partner CCTV deployments where the customer needs access to remote NVRs when an incident has occurred to download footage and setup a private hosted central Fusionhub server and build out PepVPN (which is multi-wan aware) so you can address the internal LAN IP rather than worry about the WAN IPs. This approach is much more secure of course also as you won’t have open ports on the internet.

Not if I understand your requirement. Instead you would set WAN1 and WAN2 in Priority 1, then setup an outbound policy so that only WAN1 is used by LAN side devices for internet access until it fails and which point access fails over to WAN2. Inbound connectivity via the public IPs on WAN1 and WAN2 would be available all the time so long as the links themselves are healthy. When WAN1 fails, instead of using its WAN1 IP for remote access, you would use the WAN2 IP.

But PepVPN is generally a better, safer approach.

1 Like

Thank You Mr. Case and Mr. Langmaid for the help.
I have two questions:
Mr. Case, I am using the scenario where WAN1 is always on and WAN2 is backup, If I were to use DDNS can I have the one DDNS name linked to both ISP provided IP addresses, in being that only one WAN is active at time?

In your last statement Mr. Langmaid.
“Not if I understand your requirement. Instead you would set WAN1 and WAN2 in Priority 1, then setup an outbound policy so that only WAN1 is used by LAN side devices for internet access until it fails and which point access fails over to WAN2. Inbound connectivity via the public IPs on WAN1 and WAN2 would be available all the time so long as the links themselves are healthy. When WAN1 fails, instead of using its WAN1 IP for remote access, you would use the WAN2 IP.”

In the case that you describe above, If both addresses are set to priority one and the remote access is set to the WAN1 parameters, if there is a fail over the out bound traffic will work normaly however the Inbound traffic whould have to be reset to the WAN2 parameters. Correct?

Thanks Again

Yes, using mypep.link through InControl2 you can set a unique dns name. eg martins-lab.mypep.link

If you do a DNS lookup against that DNS name incontrol2 will return the WAN IPs of WAN1 and WAN2 (and WAN3 and WAN4 etc). So if you ping martins-lab.mypep.link you will be pinging WAN1 so long as its healthy. If WAN1 fails, then InControl2 updates the DNS entries and a ping to martins-lab.mypep.link will resolve to the IP address of WAN2 instead.

Whats also nice about mypep.link is that you also get DNS entries per WAN port so:
wan1.martins-lab.mypep.link
&
wan2.martins-lab.mypep.link would resolve to the respective IPs.

But perhaps of most use to you since you will be using failover is the InControl2 detected IP address (the one that is actively being used right now for traffic) and this becomes
ic2-detected.martins-lab.mypep.link

Yes exactly right - that’s the limitation of using IP addresses for remote access - they are typically tied to a form of internet access. You get round this by either using dynamic DNS above, or you move to VPN for remote access which is more secure and generally easier as you don’t care or need to know what the external IP addressing is.

An added bonus of using either DDNS or VPN is that you can add additional connectivity into the mix, so an LTE connection for example to provide additional bandwidth and resilience.

1 Like

And, it seems that’s a severe limitation for many: IC2 is required. A method is needed to specify a hierarchy of DDNS so one is not limited to the DDNS pointing to a single WAN in a multi-WAN situation. That was the substance of the ill-received request I raised a bit more than four years ago.

Some do not what to use the public IC2 for sure - or can’t for compliance purposes, but they can still use a privately hosted version or use 3rd party DNS services if they want.

Not sure I follow isn’t there already a hierarchy?
top level - resolve a single DNS entry to all public IPs (eg martins-lab.mypep.link)
→ Next level individual WANs eg:
----> wan1.martins-lab.mypep.link
----> wan2.martins-lab.mypep.link
----> wan(n).martins-lab.mypep.link
→ IC2 Detected: ic2-detected.martins-lab.mypep.link

What else did you need Rick?

So, you are saying IC2 is not required to use sequential DDNS (in a non-speedfusion environment)?

All we want (from my 2016 message …):

(One DDNS for both WAN - #12 by Rick-DC)

TK: Actually, our experience with DDNS is excellent. Our DDNS provider has been extremely reliable. All we need to do is have the Balance router send an update the DDNS when the favored/priority/best WAN changes. The DDNS would not point to a lower capacity/high latency WAN until the “main” one fails .

Ah, no I’m not. IC2 is needed because 3rd party DDNS services don’t really get the idea of multi-WAN. If they did, you could get them to aggregate the WAN IPS under a single DNS name and prioritize them and the DNS service provider level.

This works with IC2 if you order your WANs with WAN1 as ‘best’. I see how and why you’d like the peplink to send and update to a 3rd party DNS services though.

1 Like

Bingo. :nerd_face: