Site-Magic/VPN and forcing local traffic to use it

Background, we have several relatively small sites that connect back to a DC and then on to the Internet through a centralised Meraki firewall. Having recently moved from Meraki AP’s to UAP’s, we placed a UDM Pro Max in the DC to manage them. All is working well.

We now need to upgrade a couple of the links from two of the larger sites to 1gb and are considering replacing UDM Pro Max with an EFG and placing the UDM Pro Max along with another one, in the two remote sites. The remote sites will move from a L2 to a L3 internet service. The thinking being that we then use Site Magic back the DC and then out to the internet.

This way all clients in the remote locations are forced to use the centrally managed Firewall (the EFG, rather than the current Meraki) in the DC and a single public IP. We have a few software providers that register the public IP against licenses (rather than each site having to be registered). So while each of the remote sites will have public IP’s, I don’t want anything other than the tunnels using it.

A question has been raised regarding the inability in a Unifi based solution to force clients in the remote locations to use the Site Magic tunnel. Is this really the case? I’m somewhat shocked that the clients would even know it had another option, if configured correctly. I would have thought we could configure it so that all client devices are forced to use a specific route, that being the tunnel.

I’m not the network expert (I’m sure you’ve guessed by now), but I am the one paying the bill. So, I would appreciate anyone’s insight on this matter. The in-country distributor’s response is “well you can return them within 30days if it doesn’t work”…that’s not what I call proactive or professional support.

As a side note, does another know where I can find ‘published’ Site Magic performance numbers for the different models? I not even sure if we need the EFG.

Thanks in advance.

I have not used Site Magic enough to know, you may want to post in the UniFi forums. Also, I would only route traffic for the app that needs it because tunneling all traffic is not going to offer the best experience as it will add more latency and then create a reliance on the main site being always up.