Best Practices for Setting up VPN Router with respect to Cellular Backup and DNS

Posted on 2015-01-13
Medium Priority
Last Modified: 2016-10-14

We're introducing a new location for our retail organization in the near future. We try to use basic infrastructure at our retail location with a goal towards providing point-of-sale availability as a priority. Most non-essential administrative and corporate infrastructure is shared to the retail location via site-to-site vpn connections.

Our basic communication setup is local carrier internet providers with static IP's assigned, VPN Routers (now with 4G fail-over through Verizon), then switching out to the rest of the infrastructure.  The VPN Routers assign DHCP and we use off-site DNS servers that are available over the site-to-site tunnel. Not the best solution but we try to minimize the server infrastructure as much as possible at the retail locations (open to other options).

My primary concern for this question has to do with preserving DNS functionality when the Cellular back-up takes over on our TZ-215W Sonicwall devices. I'm not sure the best process regarding fail-over internet connections or what is standard practice for these low infrastructure remote environments? Do we have any options for detecting when the VPN Tunnel is down (currently we allow split tunneling) and for new DHCP leases assign alternative DNS? The same then, when the 4G fail-over is detected with respect to DNS?

I know that we if we lose the site-to-site that domain functionality will be taken off-line for domain client logins, authentications and items like RADIUS etc but I'd still like the clients that are functional to be able to route to the available fail-over internet connection and access the internet. In the past we've used some NETGEAR devices that were somehow aware of failed DNS lookups and could forward those look-ups when the standard requests failed but I'm not sure if that meant that the gateway was assigned a position in the DNS assigned via DHCP to local clients.

It's a bit messy but it's what we have right now and it allows us to maintain some control via domain administration. Any information you can provide would be helpful and if the information skewed towards best practices I would not be offended. There are a lot of moving parts in the above scenario that depend on the other so they may all be related.

Thank you!
Question by:RatherBeinTahoe
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 62

Assisted Solution

gheist earned 1000 total points
ID: 40548459
If it is public DNS you have no chance to provision it over GSM.
Usually domain name registries offer simple interface to keep couple of DNS records.
Another option if you need VPN dial in are dynamic DNS providers like no-ip.com where you can update VPN gateway IP when connection falls over.
LVL 39

Accepted Solution

Aaron Tomosky earned 1000 total points
ID: 40549454
you should be able to do this with nat rules.

make a nat rule for dns queries to your internal dns server:
any, original, dnsserver, original, dns, original, any, x1

that should do nothing. The reason for it is that the next rule we make needs to have a lower (higher number) priority so it only takes effect if x1 goes down
any, original, dnsserver, googledns (or whatever you want your backup dns to be), dns, original, any, 4g modem

what that will do is send dns queries that were going to your internal dns server to a different dns server if the x1 interface is down. you may need to tweak this since it's over a vpn, but this is the high level view of what I believe is a clean solution as the clients are none the wiser.

Author Comment

ID: 40551802
Thanks gheist, I wasn't clear about internal DNS vs public DNS as being a priority - and in this case - the MSFT domain environment being the priority until it's no longer available. Thanks for your help.

Aaron Tomosky I think that will work! I'll give it a go in my testing and report back if I have any follow-ups.

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month15 days, 6 hours left to enroll

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question