VPN Bridge vs DHCP and DNS



  • I am currently planning the split of our company network from one to two locations.

    First to say we are a very small company (5 people), so we are very limited on budget.

    Plan for future is, to have two remote workers in Spain, accessing our only server in Germany, two will access the server from our main location in Germany and one mobile user.
    Unfortunately we have one server based software, where it is impossible to install a client if the client is not in the same subnet as the server.  >:( I would like to throw the programmer a 19"  switch on his head.
    As sending over the computer to Germany and back again, to reinstall a piece of software is not a good option, I would like to set up an OpenVPN between Germany and Spain in bridged mode, that I have the same subnet. I know that the VPN tunnel then transports a lot of broadcast / unicast traffic, but as we have a very limited number of clients, I don't expect too much traffic here.

    The mobile user will connect with VPN Client to the location in Germany, and there it is not a problem to bring in the computer to install this crappy software.

    I will use two ALIX.2D13 with pfsense pre-installed.

    I am thinking about, how to handle the DHCP and DNS traffic. As I currently have no Active Directory running, I would have multiple options for running DHCP and DNS services.

    For DHCP is my question, if I use two different ranges from the same subnet and let DHCP server running on both pfsense, I could just block DHCP packets in the WAN bridge? Are there any issues to expect?
    For DNS is my question, how to handle it, that DNS queries only run over the WAN, if the local subnet is questioned. Is this possible at all? Basically I only need one hostname, our server. Do I have to add him to all local etc/hosts files or is there a more elegant solution. All other DNS traffic will anyway go to the Internet, so I just could use DNS forwarder to the servers of our ISPs from both pfsense. Also all the traffic what is not for the local subnet shall go directly into the internet without using the WAN-Bridge.

    What I want is a solution where both locations can work in Internet, even if the VPN tunnel is down. Spain will not be able to access the German server then, but the other stuff shouldn't be affected in this case.

    Any ideas, hints are appreciated



  • My first point here, even before design aspect, is to highlight than depending on how your software is developed, latency might be more impacting than amount of traffic. Meaning it could be as painful for one remote user than for five.
    Second point, if you are using ADSL, keep in mind this is asymmetric.

    This said, it would be very helpful, in order to select the right network design, to understand why having all clients on same "LAN" is mandatory. Is it a matter of broadcast ?
    I'm asking because I don't really understand how bridged design + VPN could solve the issue (depending on what the issue is of course).



  • I know that latency will be a problem, we will run a test first and if there's a problem, then we will setup RDP and run client software on the server.

    Yes it is broadcast issue. To install the client, the installer sends out a broadcast and gets a response from server. Then the installer creates a configuration file to point at servers hostname. The installer just cancels if the server is not found.

    I am not a total newbie regarding networking, I was quite good in troubleshooting network issues in my last vew jobs, but I never had to design such a configuration at my own. This is the reason why I ask here about ideas / thoughts from the community.