About 3-4 years ago I set up Draytek 2820 boxes at our 4 sites and head office and configured an IPsec Tunnel between each remote site and the Head Office. Over time there are now ten boxes dialing into the head office. Likewise the internet usage patterns continue to grow. As a result the performance keeps dropping, this is causing issues with our critical application of terminals connecting to a Unix server at HO for point of sale. Likewise this is preventing me from having confidence in rolling out IP phones. To try improve matters I added a second line to the head office and split the VPN traffic across it (with the other line asa failover option), however this has not had enough of an effect.

From my (limited) understanding I think the issue is one or a combination of the following:

1. Head office internet users sucking up too much bandwidth.

2. Potentially routing all internet traffic through head office due to the VPN.

3. Simply not enough bandwidth on the single connections to head office.

To alleviate this I wish to seperate the internet traffic from the internal traffic at all the sites. My idea on how to achieve this is:

1. Add a third line for internet only at head office. Is this as simple as telling the DHCP server on Windows Sever the new router is the default gateway?

2. Add a second line to the remote branches, connected to the Draytek and implement a port based WAN policy. I would rather do this than have a seperate line for failover reasons again.

If required or significantly beneficial I am also happy to install a better router at the head office for bonding / load balancing the two lines (or more) that are being used for the VPN.

Am I going down the right track or are there better solutions I could look at. I am happy to spend more on the solution, but the likes of leased lines are too pricey and we don't seem to be anywhere near any fibre options.

What kind of internet connection are you using? If it is ADSL then the uplink speed at the head office end will be a big drag on the speed the remote offices can achieve through the VPN. Also any instability in the connections will hurt throughput. Same at the remote end, if they are sending information to the HO server then they're uplink speed comes into play.

No, you probably don't want the remote sites running their internet connections through the VPN's - that will be using up bandwidth you want for your critical applications.

How are you load balancing the 2 connections at HO end? AFAIK a VPN will only work over one connection at a time - you can set half the remote sites to connect to each connection, which gives a rough load balance. Or you could set all the VPN's to one connection and HO internet to the other.

As far as Head office Internet use, what are your users doing? Normal web browsing would be sporadic, downloading a page and then reading it. Unless they are streaming something constantly, and unless the download bandwidth is too low to support the number of users, that shouldn't be too big an issue.


I would suggest looking at the uplink speeds before anything else, if your maxing those out that is your limiting factor.

Hi maddriver, thanks for the input.

The best connections available at each end currently are ADSL. As such that is definitely a major limiting factor. What I do know is that the actual data requirements for the Unix Point of Sale terminals is in fact tiny. It is a text only based system and ran fine on the likes of a 56K modem back in the day (and has not changed). As such it is the other uses of the connections or the current setup which is causing the real issues.

Currently I do not know whether the remote sites are running their internet through the VPN or not. How do you set up the PC's and router to ensure they don't operate like that? Currently I have the HO Router as a Dial In VPN server. The branches dial in and maintain a continuous connection and the PC's at those locations are given that router as the default gateway and DNS server via the DHCP server on the router. What I don't know is whether the router then would automatically forward the requests through the VPN.

The load balancing I am doing is just splitting the connections. I am happy to continue doing that as it allows me to setup a failover for both groups of the other line (which is with a different supplier). What I would like to do is be able to add a third internet only connection so the HO users can't touch the VPN bandwidth.

The users at head office are mainly browsing, however there are lots of large files uploaded and downloaded as attachments. We also quite regularly FTP large blocks of into to web servers. I am not worried about the internet being too slow for them, more about the knock on effect of their usage.

Within the "LAN to LAN" page of the VPN - in the setup for each tunnel, there is a tick box marked "Change default route to this VPN tunnel ( Only single WAN supports this )". AFAIK this changes the default route so that all traffic goes via the VPN rather than just traffic for the HO subnet. This would be on the remote router in your setup, and you would want it unticked so that internet traffic goes via the WAN.

The Diagnostics section of the menu has data flow monitor and traffic graph, these might help you see if you are maxing out your current connections. Also if one particular user/computer is gobbling a lot of data. Repeating this at the remote sites would show if any one site is maxing their connection.

Thanks for that. No remote VPN's have got that setting ticked so at least that is one potential issue ruled out.

I think the big trick would be to get the head office users off the line. Can I add a 2nd router to the network and just configure that as the default gateway on the DHCP server, or would that prevent users at head office accessing resources over the VPN (such as the CCTV in branches)?

You'd need to add static routes to the default gateway so it knows which router to use for specific subnets. e.g. 192.168.20.0 (everything in the 192.168.20 subnet) gateway 192.168.0.1 (or whatever)


If your accessing CCTV, that might be another bandwidth hog (streaming video) and as it's sending from the remote locations that would impact their uplink.