Solved

Best Practices for Setting up VPN Router with respect to Cellular Backup and DNS

Posted on 2015-01-13
4
41 Views
Last Modified: 2016-10-14
Team,

We're introducing a new location for our retail organization in the near future. We try to use basic infrastructure at our retail location with a goal towards providing point-of-sale availability as a priority. Most non-essential administrative and corporate infrastructure is shared to the retail location via site-to-site vpn connections.

Our basic communication setup is local carrier internet providers with static IP's assigned, VPN Routers (now with 4G fail-over through Verizon), then switching out to the rest of the infrastructure.  The VPN Routers assign DHCP and we use off-site DNS servers that are available over the site-to-site tunnel. Not the best solution but we try to minimize the server infrastructure as much as possible at the retail locations (open to other options).

My primary concern for this question has to do with preserving DNS functionality when the Cellular back-up takes over on our TZ-215W Sonicwall devices. I'm not sure the best process regarding fail-over internet connections or what is standard practice for these low infrastructure remote environments? Do we have any options for detecting when the VPN Tunnel is down (currently we allow split tunneling) and for new DHCP leases assign alternative DNS? The same then, when the 4G fail-over is detected with respect to DNS?

I know that we if we lose the site-to-site that domain functionality will be taken off-line for domain client logins, authentications and items like RADIUS etc but I'd still like the clients that are functional to be able to route to the available fail-over internet connection and access the internet. In the past we've used some NETGEAR devices that were somehow aware of failed DNS lookups and could forward those look-ups when the standard requests failed but I'm not sure if that meant that the gateway was assigned a position in the DNS assigned via DHCP to local clients.

It's a bit messy but it's what we have right now and it allows us to maintain some control via domain administration. Any information you can provide would be helpful and if the information skewed towards best practices I would not be offended. There are a lot of moving parts in the above scenario that depend on the other so they may all be related.

Thank you!
0
Comment
Question by:RatherBeinTahoe
4 Comments
 
LVL 61

Assisted Solution

by:gheist
gheist earned 250 total points
ID: 40548459
If it is public DNS you have no chance to provision it over GSM.
Usually domain name registries offer simple interface to keep couple of DNS records.
Another option if you need VPN dial in are dynamic DNS providers like no-ip.com where you can update VPN gateway IP when connection falls over.
0
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 250 total points
ID: 40549454
you should be able to do this with nat rules.

make a nat rule for dns queries to your internal dns server:
any, original, dnsserver, original, dns, original, any, x1

that should do nothing. The reason for it is that the next rule we make needs to have a lower (higher number) priority so it only takes effect if x1 goes down
any, original, dnsserver, googledns (or whatever you want your backup dns to be), dns, original, any, 4g modem

what that will do is send dns queries that were going to your internal dns server to a different dns server if the x1 interface is down. you may need to tweak this since it's over a vpn, but this is the high level view of what I believe is a clean solution as the clients are none the wiser.
0
 

Author Comment

by:RatherBeinTahoe
ID: 40551802
Thanks gheist, I wasn't clear about internal DNS vs public DNS as being a priority - and in this case - the MSFT domain environment being the priority until it's no longer available. Thanks for your help.

Aaron Tomosky I think that will work! I'll give it a go in my testing and report back if I have any follow-ups.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now