Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Best Practices for Setting up VPN Router with respect to Cellular Backup and DNS

Posted on 2015-01-13
Medium Priority
Last Modified: 2016-10-14

We're introducing a new location for our retail organization in the near future. We try to use basic infrastructure at our retail location with a goal towards providing point-of-sale availability as a priority. Most non-essential administrative and corporate infrastructure is shared to the retail location via site-to-site vpn connections.

Our basic communication setup is local carrier internet providers with static IP's assigned, VPN Routers (now with 4G fail-over through Verizon), then switching out to the rest of the infrastructure.  The VPN Routers assign DHCP and we use off-site DNS servers that are available over the site-to-site tunnel. Not the best solution but we try to minimize the server infrastructure as much as possible at the retail locations (open to other options).

My primary concern for this question has to do with preserving DNS functionality when the Cellular back-up takes over on our TZ-215W Sonicwall devices. I'm not sure the best process regarding fail-over internet connections or what is standard practice for these low infrastructure remote environments? Do we have any options for detecting when the VPN Tunnel is down (currently we allow split tunneling) and for new DHCP leases assign alternative DNS? The same then, when the 4G fail-over is detected with respect to DNS?

I know that we if we lose the site-to-site that domain functionality will be taken off-line for domain client logins, authentications and items like RADIUS etc but I'd still like the clients that are functional to be able to route to the available fail-over internet connection and access the internet. In the past we've used some NETGEAR devices that were somehow aware of failed DNS lookups and could forward those look-ups when the standard requests failed but I'm not sure if that meant that the gateway was assigned a position in the DNS assigned via DHCP to local clients.

It's a bit messy but it's what we have right now and it allows us to maintain some control via domain administration. Any information you can provide would be helpful and if the information skewed towards best practices I would not be offended. There are a lot of moving parts in the above scenario that depend on the other so they may all be related.

Thank you!
Question by:RatherBeinTahoe
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 62

Assisted Solution

gheist earned 1000 total points
ID: 40548459
If it is public DNS you have no chance to provision it over GSM.
Usually domain name registries offer simple interface to keep couple of DNS records.
Another option if you need VPN dial in are dynamic DNS providers like no-ip.com where you can update VPN gateway IP when connection falls over.
LVL 39

Accepted Solution

Aaron Tomosky earned 1000 total points
ID: 40549454
you should be able to do this with nat rules.

make a nat rule for dns queries to your internal dns server:
any, original, dnsserver, original, dns, original, any, x1

that should do nothing. The reason for it is that the next rule we make needs to have a lower (higher number) priority so it only takes effect if x1 goes down
any, original, dnsserver, googledns (or whatever you want your backup dns to be), dns, original, any, 4g modem

what that will do is send dns queries that were going to your internal dns server to a different dns server if the x1 interface is down. you may need to tweak this since it's over a vpn, but this is the high level view of what I believe is a clean solution as the clients are none the wiser.

Author Comment

ID: 40551802
Thanks gheist, I wasn't clear about internal DNS vs public DNS as being a priority - and in this case - the MSFT domain environment being the priority until it's no longer available. Thanks for your help.

Aaron Tomosky I think that will work! I'll give it a go in my testing and report back if I have any follow-ups.

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Netscaler #MSSQL #Load Balance
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question