Several Questions on How BOVPN Works

Hello!

I'm a little new at some of this, so please bare with me. We have a client who is moving from one location to another two locations, and has resources they need shared between systems at both of the locations. I think BOVPN can help with this, but I'm trying to wrap my head around some of it.

So, we have two WG Fireboxes ready to use for this, and we'll have static IP addresses available at both new office locations. Both new offices should be fairly small, expecting around 7 computers at branch site, maybe 12 at the main office when you add in servers. I'm planning to follow the instructions below to configure a BOVPN between them:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/manual_bovpn_quick_start_c.html

I have some questions about how things should be set up after the move, though.

Currently, we have a Domain Controller server on the network that also handles DHCP. Is that still a good idea? Should I have the Fireboxes handle DHCP instead? If I have the Domain Controller at the main office doing DHCP, will the devices at the branch office be able to get an IP address from that server?

If it's indeed better to have the Fireboxes handle DHCP, I have a couple other questions. I noticed that when setting up the BOVPN, you can set up dissimilar local IP addresses at the different sites. If a system at the branch office needed resources from the main office, how does that resolve when the IP addresses are dissimilar? Can systems recognize each others names across the tunnel? Or can they browse to the IP addresses on the other side of the tunnel?

Also, do domain functions work across the tunnel? Will the systems at the branch be able to sign in to the same domain as at the main office?

Thanks so much for any help and for understanding. A lot of this is new to me, so I figured I should just ask someone for help!

Comments

  • To pass traffic across a BOVPN, it is best that the subnets at each end are different.

    On the remote firewall, set up DHCP, and then IF you want to have the DC provide the DHCP IP addrs, set up DHCP Relay

    Configure DHCP Relay
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/dhcp_relay_c.html

    This way, even if the BOVPN is down, devices at the remote site will still get DHCP info, and will be able to access the Internet, and when the BOVPN is up the main DHCP server can provide the IP addrs.

    Q. how does that resolve when the IP addresses are dissimilar?
    A. this is called routing - which the firewall and ISP devices do - get traffic to non-local IP addrs.

    Q. Will the systems at the branch be able to sign in to the same domain as at the main office?
    A. yes, as long as the BOVPN is up, and the the remote PCs are part of the domain

    Q. Can systems recognize each others names across the tunnel?
    A. there are 2 main Windows name resolution functions - WINS, and DNS.

    Microsoft TCP/IP Host Name Resolution Order
    https://support.microsoft.com/en-us/topic/microsoft-tcp-ip-host-name-resolution-order-dae00cc9-7e9c-c0cc-8360-477b99cb978a

    In a local setup with all devices on the same subnet, usually the Windows devices are using NetBIOS (WINS) to allow short name resolution.
    NetBIOS is broadcast based and does not work across a BOVPN.
    To have name resolution work across a BOVPN, you need to have a DNS server with the appropriate DNS entries for the names to be resolved into IP addrs, and you need to use FQDNs, or provide the appropriate Domain Name suffix in the DHCP settings.

  • Thank you Bruce, this is incredibly helpful. I'll ask more questions if I have them as the project moves forward!

  • Another quick question, relating to this:

    "Q. Can systems recognize each others names across the tunnel?
    A. there are 2 main Windows name resolution functions - WINS, and DNS.

    Microsoft TCP/IP Host Name Resolution Order
    https://support.microsoft.com/en-us/topic/microsoft-tcp-ip-host-name-resolution-order-dae00cc9-7e9c-c0cc-8360-477b99cb978a

    In a local setup with all devices on the same subnet, usually the Windows devices are using NetBIOS (WINS) to allow short name resolution.
    NetBIOS is broadcast based and does not work across a BOVPN.
    To have name resolution work across a BOVPN, you need to have a DNS server with the appropriate DNS entries for the names to be resolved into IP addrs, and you need to use FQDNs, or provide the appropriate Domain Name suffix in the DHCP settings."

    So I looked further into the environment to check on this a bit. Currently, the Domain Controller is also running DNS Server. And currently, users can browse to resources on other servers using the server's name. For example, currently a user can access resources on a server called "Denver" by browsing to \Denver\ or by using the IP address.

    So assuming this is running through DNS Server, will that still be doable through the tunnel? Or is there some sort of relay type thing that I'd need to configure for that?

    Thanks again for any help!

  • Denver is most likely being resolved by devices local to it using NetBIOS.

    The remote PCs don't get NetBIOS broadcasts from the main site, so they would not know what "Denver" means.
    Assuming that denver.yourdomain.local or similar is registered in your DNS server, then remote users could access "denver" if they have a DNS suffix in their TCP info of "yourdomain.local".
    And if your have a WINS server set up, then the remote PCs should be able to resolve "denver" using the WINS server.

    Welcome to Microsoft networking ...

Sign In to comment.