Best Practices for Setting up VPN Router with respect to Cellular Backup and DNS
Posted on 2015-01-13
We're introducing a new location for our retail organization in the near future. We try to use basic infrastructure at our retail location with a goal towards providing point-of-sale availability as a priority. Most non-essential administrative and corporate infrastructure is shared to the retail location via site-to-site vpn connections.
Our basic communication setup is local carrier internet providers with static IP's assigned, VPN Routers (now with 4G fail-over through Verizon), then switching out to the rest of the infrastructure. The VPN Routers assign DHCP and we use off-site DNS servers that are available over the site-to-site tunnel. Not the best solution but we try to minimize the server infrastructure as much as possible at the retail locations (open to other options).
My primary concern for this question has to do with preserving DNS functionality when the Cellular back-up takes over on our TZ-215W Sonicwall devices. I'm not sure the best process regarding fail-over internet connections or what is standard practice for these low infrastructure remote environments? Do we have any options for detecting when the VPN Tunnel is down (currently we allow split tunneling) and for new DHCP leases assign alternative DNS? The same then, when the 4G fail-over is detected with respect to DNS?
I know that we if we lose the site-to-site that domain functionality will be taken off-line for domain client logins, authentications and items like RADIUS etc but I'd still like the clients that are functional to be able to route to the available fail-over internet connection and access the internet. In the past we've used some NETGEAR devices that were somehow aware of failed DNS lookups and could forward those look-ups when the standard requests failed but I'm not sure if that meant that the gateway was assigned a position in the DNS assigned via DHCP to local clients.
It's a bit messy but it's what we have right now and it allows us to maintain some control via domain administration. Any information you can provide would be helpful and if the information skewed towards best practices I would not be offended. There are a lot of moving parts in the above scenario that depend on the other so they may all be related.