WAN Failover Plan Using Static NAT

This is a potential failover solution that allows for relative ease of WAN failover using manual switching (upon WAN1 failure, entire network must be connected to WAN2 router) with the potential for automatic failover using round-robin DNS or cron to edit DNS entries.


  • Two disparate public IP blocks for the host you plan to provide failover to
  • Two disparate WAN connections each with one of the aforementioned IP blocks
  • Private Internal Addressing Schema for Static NAT assignment i.e. network
  • Two firewall routers mapping public IP addresses to internal IP


Example using iptables

In this example we have a /24 public subnet (Primary WAN connection – WAN1 i.e. 216.xxx.xxx.0) which we will use iptables to forward all packets from the external IP to internal IP as well as a /26 block (Secondary WAN connection – WAN2 i.e. 206.xxx.xxx.192) for failover.

# WAN1 .1 -> LAN .1

iptables -t nat -I PREROUTING -d 216.xxx.xxx.1 -j DNAT –to

iptables -t nat -I POSTROUTING -s -j SNAT –to 216.xxx.xxx.1

iptables -I FORWARD -d -j ACCEPT

For ease of management, a variable could be assigned and incremented with a for loop in a script to create 1-to-1 rules across the entire subnet range, such that:

for (i = 1; i < 255; i++) {

iptables -t nat -I PREROUTING -d 216.xxx.xxx.$i -j DNAT –to 10.0.0.$i

iptables -t nat -I POSTROUTING -s 10.0.0. $i -j SNAT –to 216.xxx.xxx.$i

iptables -I FORWARD -d 10.0.0.$i -j ACCEPT


With the /26 subnet we are limited to 62 usable IP addresses so a script would not be as easily implemented. It could be suggested that the internal addressing schema would assign the most important IP addresses in the range that both scripts could loop over their respective IP ranges. This would of course only allow failover for 62 of the most critical IP assignments and should be considered when designing and implementing the addressing schemas.

Since we are using network 206.xxx.xxx.192/26, the critical IP range for all subnets should use the following ranges:

WAN1 216.xxx.xxx.193 216.xxx.xxx.254
WAN2 206.xxx.xxx.193 206.xxx.xxx.254


Here would be a sample iptables rule for WAN2:

# WAN2 .193 -> LAN .193

iptables -t nat -I PREROUTING -d 206.xxx.xxx.193 -j DNAT –to

iptables -t nat -I POSTROUTING -s -j SNAT –to 206.xxx.xxx.193

iptables -I FORWARD -d -j ACCEPT


Modify the for loop starting at i=193 for the critical IP failover range for WAN2.


DNS requirements

Upon implementation of the failover plan’s internal addressing schema, DNS should be updated to reflect all entries. Knowing our failover range makes creating a script much easier using regular expressions. We should create two scripts, one for switching to WAN2 from WAN1 and one to go back to WAN1. The script needs to parse each zone file where failover is required and match the critical IP range, translating the WAN1 range to WAN2 range and vice-versa, such that:

WAN1 to WAN2: tr/216\.xxx\.xxx\.[193-254]/206\.xxx\.xxx\.[193-254]/

WAN2 to WAN1: tr/206\.xxx\.xxx\.[193-254]/216\.xxx\.xxx\.[193-254]/

Note that the 193-254 range may need to be iterated, depending on the scripting language used.



Failover Process

To activate failover, we can manually run the scripts to edit DNS or use a cron job to check if the link is up (i.e. ping the default gateways every five minutes). Depending on which gateway responds, the corresponding script will run. Thus, if WAN1 is active run WAN2 to WAN1 to ensure all DNS entries point to WAN1 and if WAN2 is active run WAN1 to WAN2 to verify DNS is pointing to WAN2 addresses.

If you'd like to share this, click below:

Leave a Reply

Your email address will not be published. Required fields are marked *