Improve company productivity with a Business Account.Sign Up


Best Practices for Setting up VPN Router with respect to Cellular Backup and DNS

Posted on 2015-01-13
Medium Priority
Last Modified: 2016-10-14

We're introducing a new location for our retail organization in the near future. We try to use basic infrastructure at our retail location with a goal towards providing point-of-sale availability as a priority. Most non-essential administrative and corporate infrastructure is shared to the retail location via site-to-site vpn connections.

Our basic communication setup is local carrier internet providers with static IP's assigned, VPN Routers (now with 4G fail-over through Verizon), then switching out to the rest of the infrastructure.  The VPN Routers assign DHCP and we use off-site DNS servers that are available over the site-to-site tunnel. Not the best solution but we try to minimize the server infrastructure as much as possible at the retail locations (open to other options).

My primary concern for this question has to do with preserving DNS functionality when the Cellular back-up takes over on our TZ-215W Sonicwall devices. I'm not sure the best process regarding fail-over internet connections or what is standard practice for these low infrastructure remote environments? Do we have any options for detecting when the VPN Tunnel is down (currently we allow split tunneling) and for new DHCP leases assign alternative DNS? The same then, when the 4G fail-over is detected with respect to DNS?

I know that we if we lose the site-to-site that domain functionality will be taken off-line for domain client logins, authentications and items like RADIUS etc but I'd still like the clients that are functional to be able to route to the available fail-over internet connection and access the internet. In the past we've used some NETGEAR devices that were somehow aware of failed DNS lookups and could forward those look-ups when the standard requests failed but I'm not sure if that meant that the gateway was assigned a position in the DNS assigned via DHCP to local clients.

It's a bit messy but it's what we have right now and it allows us to maintain some control via domain administration. Any information you can provide would be helpful and if the information skewed towards best practices I would not be offended. There are a lot of moving parts in the above scenario that depend on the other so they may all be related.

Thank you!
Question by:RatherBeinTahoe
LVL 62

Assisted Solution

gheist earned 1000 total points
ID: 40548459
If it is public DNS you have no chance to provision it over GSM.
Usually domain name registries offer simple interface to keep couple of DNS records.
Another option if you need VPN dial in are dynamic DNS providers like where you can update VPN gateway IP when connection falls over.
LVL 40

Accepted Solution

Aaron Tomosky earned 1000 total points
ID: 40549454
you should be able to do this with nat rules.

make a nat rule for dns queries to your internal dns server:
any, original, dnsserver, original, dns, original, any, x1

that should do nothing. The reason for it is that the next rule we make needs to have a lower (higher number) priority so it only takes effect if x1 goes down
any, original, dnsserver, googledns (or whatever you want your backup dns to be), dns, original, any, 4g modem

what that will do is send dns queries that were going to your internal dns server to a different dns server if the x1 interface is down. you may need to tweak this since it's over a vpn, but this is the high level view of what I believe is a clean solution as the clients are none the wiser.

Author Comment

ID: 40551802
Thanks gheist, I wasn't clear about internal DNS vs public DNS as being a priority - and in this case - the MSFT domain environment being the priority until it's no longer available. Thanks for your help.

Aaron Tomosky I think that will work! I'll give it a go in my testing and report back if I have any follow-ups.

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This installment of Make It Better gives Media Temple customers the latest news, plugins, and tutorials to make their VPS hosting experience that much smoother.
Have a Cisco router that you forgot the password or maybe you bought a used router that is locked with a password? This article will guide you through the steps on how to recover the password on your Cisco gear.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question