Branch Office VPN - DNS best practices?

Main office - T50 / 12.5.2
Office A - T35 / 12.5.2
Office B - T35 / 12.5.2
...
Office E - T35 / 12.5.2

All offices are connected to every other office through tunnels

My main office has 3 DNS server 200.6, 200.12, 200.14
Each branch office is configured with the WINS/DNS tab to be only ISP DNS servers. Under the DHCP on the watchguard of each branch office I have configured 1 DNS server from main office (200.6) and the other 2 are the external DNS servers.

My thought was that if the internet ever goes out at the branch offices they only lose the ability to reach main office and can still use the internet locally as their insurance software is web based.

For some reason as of late all my branch offices are experiencing lag with almost all internet functions. Outlook, insurance software, browsing shares over the VPN, ETC.

What is best practice in this scenario? Is there a more efficient way I could set this up or should I be using DNS forwarding or some other function that I may not understand?

Thanks!

Comments

  • "My thought was that if the internet ever goes out at the branch offices they only lose the ability to reach main office and can still use the internet locally as their insurance software is web based." ????
    Don't the branch offices need to Internet to access those web servers?

    Look at the utilization of the main office ISP link - up & down. If this gets too busy, then this will impact the response times to the branch offices.
    And if this is happening, there is the possibility to use traffic management to prioritize desired traffic including traffic to/from the branch offices.

  • I worded that wrong. I meant if the main office internet goes down the branch offices can still use their local internet. They just can't reach domain resources.

    So with how I have it setup, internet traffic shouldn't go through the VPN right? Only stuff that points to a IP that is at the home office? My worry is that all traffic is somehow being routed back to main office with my configuration

  • I'm almost positive this is not happening as I see the traffic at the branch offices using the proxies, I am just doubting myself because I am having a hard time figuring out the problem

  • DNS requests do go though the VPN tunnels from the branch offices to the main office DNS server. Look to see if they are being delayed.

    Normal Internet traffic from the branches won't go via the BOVPNs unless you have a zero/default route set up for the BOVPNs

  • In the Web UI -> System Status -> VPN Statistics, you can see a graph of what traffic is going over VPNs, and relate that to what is going out external.
    That should help you identify that all traffic is not going over the VPN from the branch offices.

Sign In to comment.