Building Sonicwall NSA 2400
Hello,
Here is the situation.
We have a catalyst switch setup that is doing vlanning. We have the below lans setup.
192.168.36.0 DESKTOPS
192.168.37.0 Wireless
192.168.39.0 Phones
192.168.42.0 Video system
I need to setup this NSA2400 on this network to account for all this equipment. Currently we are trying to replace a small netgear prosafe router/firewall that is doing the routing for these networks. The prosafe is doing the DNS and routing the traffic for the 37, 39, 42 lans out the building. I need to disrupt as little as possible and make this all work.
I have Verizon FIOS for internet access and we are using a 192.168.33.0 scheme for the internet. The WAN IP is 192.168.33.200 and the WAN gateway is 192.168.33.1.
The catalysts are doing DHCP as well and setting the DNS to use the 192.168.36.1 address, this is the LAN port of the netgear, which will also be the lan port of the sonicwall.
What sort of routing do I need to create in the NSA to make this all work, including having the DNS requests come to the 192.168.36.1 address?
This is first one of these I have had to do with this level of ip addresses. Mostly they have one range.
Thanks.
Here is the situation.
We have a catalyst switch setup that is doing vlanning. We have the below lans setup.
192.168.36.0 DESKTOPS
192.168.37.0 Wireless
192.168.39.0 Phones
192.168.42.0 Video system
I need to setup this NSA2400 on this network to account for all this equipment. Currently we are trying to replace a small netgear prosafe router/firewall that is doing the routing for these networks. The prosafe is doing the DNS and routing the traffic for the 37, 39, 42 lans out the building. I need to disrupt as little as possible and make this all work.
I have Verizon FIOS for internet access and we are using a 192.168.33.0 scheme for the internet. The WAN IP is 192.168.33.200 and the WAN gateway is 192.168.33.1.
The catalysts are doing DHCP as well and setting the DNS to use the 192.168.36.1 address, this is the LAN port of the netgear, which will also be the lan port of the sonicwall.
What sort of routing do I need to create in the NSA to make this all work, including having the DNS requests come to the 192.168.36.1 address?
This is first one of these I have had to do with this level of ip addresses. Mostly they have one range.
Thanks.
Aaron Tomosky
Setup x0 for your untagged traffic, then add subinterfaces for your tagged vlans. Setup x1 for the wan. If you want firewall rules between vlans they need to be in different zones so make those first. Make an address object for the dhcp server, enable iphelper for DNS, add the x0:v37 or whatever vlan and set to the DNS server object.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Lots of questions, I'll try to answer them all
If you don't need firewall rules inbetween vlans, then leave them all in the lan zone
To add a vlan (for example 10.1.10.x vlan10):
interfaces->add interface (I name them v10 for vlan10)
static (this is the ip of the sonicwall on this interface)
10.1.10.1 (if your cisco is already using this ip, then use .2 or something.Personally my sonicwall is the core and gets all the .1's)
mask:255.255.255.0
gateway 0.0.0.0
enable ping (makes it easier to test connectivity from things on this vlan) if you want things on this vlan to beable to manage the sonicwall then check https and the redirect rule checked
iphelper:
make an address object for whatever hands out dhcp (mine is a windows dc)
check enabled by dhcp
policies->add
source: x0:v10
destination: address object of your dhcp server
add one of these policies for each vlan
If you don't need firewall rules inbetween vlans, then leave them all in the lan zone
To add a vlan (for example 10.1.10.x vlan10):
interfaces->add interface (I name them v10 for vlan10)
static (this is the ip of the sonicwall on this interface)
10.1.10.1 (if your cisco is already using this ip, then use .2 or something.Personally my sonicwall is the core and gets all the .1's)
mask:255.255.255.0
gateway 0.0.0.0
enable ping (makes it easier to test connectivity from things on this vlan) if you want things on this vlan to beable to manage the sonicwall then check https and the redirect rule checked
iphelper:
make an address object for whatever hands out dhcp (mine is a windows dc)
check enabled by dhcp
policies->add
source: x0:v10
destination: address object of your dhcp server
add one of these policies for each vlan
ASKER
First off, thank you for your assistance.
I have a couple of follow up questions for this, my Sonicwall is a little different from what you described it seems. If the switch is doing DHCP do I need to add that? What about using the IP Helper for DNS? I'm also trying to reprogram the catalyst switch to setup DHCP to use a different device for DNS, but I would like to try and get the IP Helper to work with DNS.
So if I add the interface like the settings below and give a laptop a static IP address in the 42.x range, say 192.168.42.5 and plug it into the X0 port, should I now be able to access the internet? How can test this to be sure it is working? I have the current LAN set to 192.168.36.1 if I create a static address of 192.168.35.5 and try that it works fine. Now I need the 192.168.42.x addresses to work. Right now that does not work at all.
What am I missing?
Network -> Interfaces click on add interface, I get the below parameters to fill in.
Before selecting LAN I have these 3 options.
ZONE: LAN
VLAN TAG: 42
PARENT INTERFACE: X0
After I selected LAN the below fields became available:
MODE / IP ASSIGNMENT: STATIC MODE
IP ADDRESS: 192.168.42.1
SUBNET MASK: 255.255.255.0
COMMENT: USED FOR 42 VLAN
MANAGEMENT: HTTPS and PING SELECTED
USER LOGIN: nothing selected.
I have a couple of follow up questions for this, my Sonicwall is a little different from what you described it seems. If the switch is doing DHCP do I need to add that? What about using the IP Helper for DNS? I'm also trying to reprogram the catalyst switch to setup DHCP to use a different device for DNS, but I would like to try and get the IP Helper to work with DNS.
So if I add the interface like the settings below and give a laptop a static IP address in the 42.x range, say 192.168.42.5 and plug it into the X0 port, should I now be able to access the internet? How can test this to be sure it is working? I have the current LAN set to 192.168.36.1 if I create a static address of 192.168.35.5 and try that it works fine. Now I need the 192.168.42.x addresses to work. Right now that does not work at all.
What am I missing?
Network -> Interfaces click on add interface, I get the below parameters to fill in.
Before selecting LAN I have these 3 options.
ZONE: LAN
VLAN TAG: 42
PARENT INTERFACE: X0
After I selected LAN the below fields became available:
MODE / IP ASSIGNMENT: STATIC MODE
IP ADDRESS: 192.168.42.1
SUBNET MASK: 255.255.255.0
COMMENT: USED FOR 42 VLAN
MANAGEMENT: HTTPS and PING SELECTED
USER LOGIN: nothing selected.
make sure vlan42 comes out tagged to the sonicwall x0. I believe cisco calls this a trunk port but I'm not too familier with cisco terminology
plug the 42.x laptop into a switch port that is untagged vlan42 (pvid 42)
So the laptop doesn't see tags (like almost all computers), but the switch tags it's packets vlan 42, those come to the sonicwall tagged vlan42. Then the iphelper points its dchp to whereever you select, and also puts a special flag so the dhcp server knows the subnet it came from (not the vlan tag as that's not important). In windows dhcp server land you just add a range in that subnet and all works like magic. YMMV with cisco dhcp.
DNS doesn't need ip helper. Once the vlans are right, your .42.x can talk to anything else in the lan zone already, including a dns server wherever it may be. You can use a static dns entry, or dhcp can push the dns entry, being in a different subnet has no effect, it just works.
plug the 42.x laptop into a switch port that is untagged vlan42 (pvid 42)
So the laptop doesn't see tags (like almost all computers), but the switch tags it's packets vlan 42, those come to the sonicwall tagged vlan42. Then the iphelper points its dchp to whereever you select, and also puts a special flag so the dhcp server knows the subnet it came from (not the vlan tag as that's not important). In windows dhcp server land you just add a range in that subnet and all works like magic. YMMV with cisco dhcp.
DNS doesn't need ip helper. Once the vlans are right, your .42.x can talk to anything else in the lan zone already, including a dns server wherever it may be. You can use a static dns entry, or dhcp can push the dns entry, being in a different subnet has no effect, it just works.
ASKER
Ok, just so I'm clear on this, I cannot just assign a laptop to the 192.168.42.x network and go through the firewall?
Is there anyway I can test this without the actual switch? I'm not at the location right now, I'm back in the lab trying to set this up to work the way I want it to.
The catalyst switch is assigning DHCP and for each network it would look like the below entry.
IP 192.168.42.50
Subnet 255.255.255.0
Default Gateway 192.168.42.1
DHCP Server 192.168.42.1
DNS 192.168.42.1
I cannot mimic that by adding a static address to my laptop and trying to get out to the internet or access the firewall by the 192.168.42.1 address?
Is there anyway I can test this without the actual switch? I'm not at the location right now, I'm back in the lab trying to set this up to work the way I want it to.
The catalyst switch is assigning DHCP and for each network it would look like the below entry.
IP 192.168.42.50
Subnet 255.255.255.0
Default Gateway 192.168.42.1
DHCP Server 192.168.42.1
DNS 192.168.42.1
I cannot mimic that by adding a static address to my laptop and trying to get out to the internet or access the firewall by the 192.168.42.1 address?
if you make the subnet on x3 or another interface, you can test with a laptop. If you make the subnet as a subinterface with a vlan, you need a switch to encapsulate the packets with the vlan tag. Some NICs can do this, usually addon cards in servers, but it's not normal on a laptop.
ASKER
Ok Thanks. I'm getting further.
One thing that I'm having a problem with is that DNS is not working for the main lan configuration on X0 if I mimic the existing DHCP settings. DNS is configured as the LAN address of the gateway.
Default gateway is is 192.168. 36.1. The WAN side is set to use DNS on 192.168.33.1. This is the gateway and DNS setting on the WAN. We are going through the fios router for Internet access. When I test the firewall it performs DNS lookups fine but my client cannot get out via DNS if set to 192.168.36.1 for DNS. Can I set that up via the IP helper to work for 36.1 and the other VLAN gayeways?
One thing that I'm having a problem with is that DNS is not working for the main lan configuration on X0 if I mimic the existing DHCP settings. DNS is configured as the LAN address of the gateway.
Default gateway is is 192.168. 36.1. The WAN side is set to use DNS on 192.168.33.1. This is the gateway and DNS setting on the WAN. We are going through the fios router for Internet access. When I test the firewall it performs DNS lookups fine but my client cannot get out via DNS if set to 192.168.36.1 for DNS. Can I set that up via the IP helper to work for 36.1 and the other VLAN gayeways?
if, on a laptop, you set dns to the sonicwall (using whichever address for that vlan), I believe it uses the dns setting of the wan on the sonicwall
I've never needed the sonicwall iphelper for dns, only dhcp and pxe
my x0 is .1.x
x0:v10 is .10.x
x0:v50 is .50.x
my machines on v50 (untagged to them but pvid 50 on the switch) get dhcp from .10.20 through iphelper. Those same machines have dns set to .10.21 (my dns server) and they work just fine without iphelper.
now that the basics are up and running, you may want to diagram out the dns/dhcp/vlan/subnets. It's getting hard for me to keep track of just with text descriptions
I've never needed the sonicwall iphelper for dns, only dhcp and pxe
my x0 is .1.x
x0:v10 is .10.x
x0:v50 is .50.x
my machines on v50 (untagged to them but pvid 50 on the switch) get dhcp from .10.20 through iphelper. Those same machines have dns set to .10.21 (my dns server) and they work just fine without iphelper.
now that the basics are up and running, you may want to diagram out the dns/dhcp/vlan/subnets. It's getting hard for me to keep track of just with text descriptions
just checking in with you, any problems? Do you have a diagram or something I can reference with the entire layout?
ASKER
Thanks for checking in. I'm not on site today. But I will let you know if I'm still having problems.
Thank you very much for the help.
Thank you very much for the help.
ASKER
Hi Aaron,
I spoke too soon. I'm still not where I need to be.
I have included some details the site gave me, hopefully this helps a little.
Basically here is the project.
The customer has a netgear router in place (IP - 192.168.36.1) it is a giant bottle neck and we are replacing it with a NSA 2400. I want to drop the 2400 in place of the Netgear and have it take over.
So we have Verizon router for internet access.
DHCP is done by the Catalyst switch.
VLANS have been built by a 3rd party and I have little access to those.
DNS is done by the Netgear currently.
DHCP is setup as 192.168.37.1/24 for the 37 VLAN and likewise for the other 2 VLANS at 39 and 42.
I have setup a Netgear switch with VLANS to try and mimic the setup but I cannot get it to work. I'm guessing that I'm missing something, but I cannot seem to find it. I have limited access to the Catalyst to make changes. I was thinking I would change the DHCP to set DNS to hit the Verizon router, which seems to work if I hard code it, but I cannot seem to find the proper commands to do that. I would prefer to set the Sonicwall to send DNS requests to the Verizon router.
MC-VLANS.jpg
I spoke too soon. I'm still not where I need to be.
I have included some details the site gave me, hopefully this helps a little.
Basically here is the project.
The customer has a netgear router in place (IP - 192.168.36.1) it is a giant bottle neck and we are replacing it with a NSA 2400. I want to drop the 2400 in place of the Netgear and have it take over.
So we have Verizon router for internet access.
DHCP is done by the Catalyst switch.
VLANS have been built by a 3rd party and I have little access to those.
DNS is done by the Netgear currently.
DHCP is setup as 192.168.37.1/24 for the 37 VLAN and likewise for the other 2 VLANS at 39 and 42.
I have setup a Netgear switch with VLANS to try and mimic the setup but I cannot get it to work. I'm guessing that I'm missing something, but I cannot seem to find it. I have limited access to the Catalyst to make changes. I was thinking I would change the DHCP to set DNS to hit the Verizon router, which seems to work if I hard code it, but I cannot seem to find the proper commands to do that. I would prefer to set the Sonicwall to send DNS requests to the Verizon router.
MC-VLANS.jpg
The netgear can't do dns just like the sonicwall can't do dns. If you point dns to a router, it just forwards on to the dns on it's wan (or it could be setup to forward somewhere else). I don't believe that the negear nor the sonicwall actually "do" dns. In my sonicwall network->dns I have Specify DNS Servers Manually and my two lan dns servers. You can also choose inherit from wan if you want.
if the catalyst is doing dhcp, then just use iphelper on the sonicwall, make one dhcp forward rule for each vlan (unless one or more of the vlans is known to the catalyst then you don't need to add anything). For example, if you have a windows dhcp server with a nic (or virtual nic) on all the vlans, you don't need ip helper at all. all iphelper does is forward dhcp requests on a vlan to a host on another vlan so you don't need a bunch of virtual nics on your dhcp server. If the catalyst already knows about all the vlans, it might not need any ip helper dhcp forwards at all.
EDIT:
If your netgear router isnt currently doing any vlan traffic, you might not need to setup any of this in the sonicwall. The cisco is perfectly capable of handling everything, so you might just need to get into the netgear and setup in the sonicwall what you see there.
if the catalyst is doing dhcp, then just use iphelper on the sonicwall, make one dhcp forward rule for each vlan (unless one or more of the vlans is known to the catalyst then you don't need to add anything). For example, if you have a windows dhcp server with a nic (or virtual nic) on all the vlans, you don't need ip helper at all. all iphelper does is forward dhcp requests on a vlan to a host on another vlan so you don't need a bunch of virtual nics on your dhcp server. If the catalyst already knows about all the vlans, it might not need any ip helper dhcp forwards at all.
EDIT:
If your netgear router isnt currently doing any vlan traffic, you might not need to setup any of this in the sonicwall. The cisco is perfectly capable of handling everything, so you might just need to get into the netgear and setup in the sonicwall what you see there.
ASKER
Hmmm, I get the DNS statement about the router, it has no root hints or DNS tables. That is fine.
Laptop static details, the below settings do not allow me to get DNS. If I set the DNS to an external setting 8.8.8.8 or even the to the WAN gateway address 192.1681.33.1 then it is fine. I get DNS and everything is working for the 36.x range. But since I cannot change the catalyst dhcp settings to push that DNS value I need to get it working with it going to 36.1 for DNS.
192.168.36.20
255.255.255.0
192.168.36.1
DNS : 192.168.36.1
I still do not have the other vlans working properly. I tried to setup a netgear switch to do vlans but I cannot seem to get that to work either. If I plug into the ports assigned to the vlan for the 37.1 network I cannot get out, if I change the static settings to look like the ones above 36.20 and the same gateway and so on it will work still plugged into the vlan ports for 37.1. I have to admit I'm at my wits end on this. I figure I'm missing something very basic but I cannot seem to figure it out.
I was hoping that with the more sophisticated sonicwall it would actually be much easier then this to swap out the "little" netgear router.
The catalyst itself does DHCP, so requests for dhcp would hit that first? Do I still need the iphelper for dhcp in that case.
Do I need to set this up in bridge mode or something different then what I have done already? The firewall is not installed so I can blow away the config and start over, I just want to get this working properly.
Thanks again.
Laptop static details, the below settings do not allow me to get DNS. If I set the DNS to an external setting 8.8.8.8 or even the to the WAN gateway address 192.1681.33.1 then it is fine. I get DNS and everything is working for the 36.x range. But since I cannot change the catalyst dhcp settings to push that DNS value I need to get it working with it going to 36.1 for DNS.
192.168.36.20
255.255.255.0
192.168.36.1
DNS : 192.168.36.1
I still do not have the other vlans working properly. I tried to setup a netgear switch to do vlans but I cannot seem to get that to work either. If I plug into the ports assigned to the vlan for the 37.1 network I cannot get out, if I change the static settings to look like the ones above 36.20 and the same gateway and so on it will work still plugged into the vlan ports for 37.1. I have to admit I'm at my wits end on this. I figure I'm missing something very basic but I cannot seem to figure it out.
I was hoping that with the more sophisticated sonicwall it would actually be much easier then this to swap out the "little" netgear router.
The catalyst itself does DHCP, so requests for dhcp would hit that first? Do I still need the iphelper for dhcp in that case.
Do I need to set this up in bridge mode or something different then what I have done already? The firewall is not installed so I can blow away the config and start over, I just want to get this working properly.
Thanks again.
DNS:
So you are currently setting 192.168.36.1 as a dns server in dhcp you can't change right?
And right now nothing has this ip, right? Or does the sonicwall have this ip as one of its interface ips? IF this is the sonicwall ip, then I think it just works according to the settings in network->dns. However I'm not 100% as I always have a windows dns server. You might have to do the iphelper dns and create a policy for a vlan->gateway dns address
EDIT: The more I read, I think you do need a dns setup in ip helper. I've just never used a sonicwall without an internal dns server and not many others have either.
DHCP:
dhcp is a broadcast on a vlan that depends on the pvid of the port you plug into. So if you have a dhcp server on that vlan, it will respond. If not, the sonicwall can ip helper push that dhcp request to the correct address object.
So you are currently setting 192.168.36.1 as a dns server in dhcp you can't change right?
And right now nothing has this ip, right? Or does the sonicwall have this ip as one of its interface ips? IF this is the sonicwall ip, then I think it just works according to the settings in network->dns. However I'm not 100% as I always have a windows dns server. You might have to do the iphelper dns and create a policy for a vlan->gateway dns address
EDIT: The more I read, I think you do need a dns setup in ip helper. I've just never used a sonicwall without an internal dns server and not many others have either.
DHCP:
dhcp is a broadcast on a vlan that depends on the pvid of the port you plug into. So if you have a dhcp server on that vlan, it will respond. If not, the sonicwall can ip helper push that dhcp request to the correct address object.
ASKER
I know this is mostly a Mac shop that is not using servers for dhcp or DNS.
Yes you are correct in that changing the dhcp settings will be difficult.
Yes in the DHCP settings DNS is set to 192.168.36.1. This is currently the small netgear router and will be the new firewall. Each VLAN has .1 as the gateway in DHCP. 37.1 and 39.1 and 42.1.
Of course part of the problem right now may be my switch is not configured properly for VLANS so my testing might be flawed.
I have tried multiple ways to get the ip helper to work for DNS on the initial LAN setup but it is not working. No matter what I put in for the destination it does not seem to work. I have created objects for public DNS, tried the gateway wan ip and so on.
Yes you are correct in that changing the dhcp settings will be difficult.
Yes in the DHCP settings DNS is set to 192.168.36.1. This is currently the small netgear router and will be the new firewall. Each VLAN has .1 as the gateway in DHCP. 37.1 and 39.1 and 42.1.
Of course part of the problem right now may be my switch is not configured properly for VLANS so my testing might be flawed.
I have tried multiple ways to get the ip helper to work for DNS on the initial LAN setup but it is not working. No matter what I put in for the destination it does not seem to work. I have created objects for public DNS, tried the gateway wan ip and so on.
so in your test setup, what interface (and if there is a vlan) is assigned 192.168.36.1? can you ping this from your laptop?
ASKER
X0 is setup as 192.168.36.1. Yes if I setup the laptop as 192.168.36.20, gateway is 192.168.36.1, same for DNS. I can ping the 36.1 address but no DNS access.
Because I think I did not setup the vlans properly I can ping that while plugged into any port on the switch.
Because I think I did not setup the vlans properly I can ping that while plugged into any port on the switch.
Still searching but here is some possible bad news
http://mobile.experts-exchange.com/questions/27633519/Sonicwall-as-DNS-server-forwarder.html
http://mobile.experts-exchange.com/questions/27633519/Sonicwall-as-DNS-server-forwarder.html
Possible good news:
https://forums.opendns.com/comments.php?DiscussionID=6448
All it took was a reboot after putting the right DNS settings in network->DNS
https://forums.opendns.com/comments.php?DiscussionID=6448
All it took was a reboot after putting the right DNS settings in network->DNS
ASKER
Ok, so far I have not hit on the proper settings.
I have tried OPENDns, Google settings and setting the DNS host to the gateway for the wan connection.
I have restarted the sonicwall and the laptop, no luck.
I have tried OPENDns, Google settings and setting the DNS host to the gateway for the wan connection.
I have restarted the sonicwall and the laptop, no luck.
So I have successfully replicated your issue. In my environment with internal dns servers, I manually chose the sonicwall gateway ip as my dns server. Thats a fail. Even easier is to just run nslookup (or dig if you have a mac) "nslookup google.com <sonicwall-ip>". If you don't specify an IP it uses the network setting, if you specify an IP it uses whatever server you specify, so obviously the easiest way to test. All I get are timeouts. I have even setup ip helper ->dns and that didn't help. I really don't know what the purpose of iphelper->dns is if it's not for this.
I'm finding this interesting and since I have support contracts with sonicwall and have never used them, I opened a case directly with them. I'll let you know what I hear.
I'm finding this interesting and since I have support contracts with sonicwall and have never used them, I opened a case directly with them. I'll let you know what I hear.
ASKER
Wow, thank you for that. I really appreciate that. This is way this site is the best.
I tried a chat session but got disconnected before anyone joined.
I hope they have a viable solution for this. I also tried a static route for all DNS traffic. No luck.
I tried a chat session but got disconnected before anyone joined.
I hope they have a viable solution for this. I also tried a static route for all DNS traffic. No luck.
ASKER
Any luck? My case was deferred and I need to call into support.
Status Researching/Troubleshootin
ASKER
still in process. We are waiting on some information and field install will be attempted again tomorrow.
I've done some back and forth with tech support, no answer yet.
ASKER
So far not so good on my side here.
I was able to reprogram the DNS setting that the catalyst is setting via DHCP. I have one segment working correctly.
I configured the main X0 LAN settings as follows, LAN IP 192.168.36.1, LAN Subnet 255.255.255.0, LAN Default Gateway (WAN ADDRESS) 192.168.33.200.
I tried to setup the VLANS as follows:
VLAN 37
LAN IP: 192.168.37.1
Subnet: 255.255.255.0
Same for 39 and 42.
What I have discovered was that the port the old netgear device was plugged into is in the 36 VLAN, port 2. According to the port list I have, port 1 is "supposed" to be a trunking port. But I tried to swap the X0 connection to Port 1 but it still did not work. I was unable to get internet access. I could ping 37.1 and 39.1 and 42.1 but could not get out.
If I look at the diagram I was given, it says that the IP settings for that port should be 192.168.255.2. I tried to change the LAN settings to 192.168.255.1 and then create a VLAN for 36.x, but that still does not work.
I noticed that the IP settings on PORT 1 in the switch are as follows:
interface GigabitEthernet0/1
description *** To Firewall Port 0/2 ***
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet0/2
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
Do you have any idea what the heck I'm doing wrong?
I also tried to set X2 to 192.168.37.1 and plug into the switch directly from that VLAN.
Thanks again for your help.
I was able to reprogram the DNS setting that the catalyst is setting via DHCP. I have one segment working correctly.
I configured the main X0 LAN settings as follows, LAN IP 192.168.36.1, LAN Subnet 255.255.255.0, LAN Default Gateway (WAN ADDRESS) 192.168.33.200.
I tried to setup the VLANS as follows:
VLAN 37
LAN IP: 192.168.37.1
Subnet: 255.255.255.0
Same for 39 and 42.
What I have discovered was that the port the old netgear device was plugged into is in the 36 VLAN, port 2. According to the port list I have, port 1 is "supposed" to be a trunking port. But I tried to swap the X0 connection to Port 1 but it still did not work. I was unable to get internet access. I could ping 37.1 and 39.1 and 42.1 but could not get out.
If I look at the diagram I was given, it says that the IP settings for that port should be 192.168.255.2. I tried to change the LAN settings to 192.168.255.1 and then create a VLAN for 36.x, but that still does not work.
I noticed that the IP settings on PORT 1 in the switch are as follows:
interface GigabitEthernet0/1
description *** To Firewall Port 0/2 ***
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet0/2
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
Do you have any idea what the heck I'm doing wrong?
I also tried to set X2 to 192.168.37.1 and plug into the switch directly from that VLAN.
Thanks again for your help.
Are the vlans subinterfaces of x0? Are they all the LAN zone?
I believe that "access vlan 36" means its untagged 36 so that would be x0
Then your vlans should be subinterfaces, with vlan tags, but sill in the LAN zone if you don't need firewall rules.
Since the other port says to firewall, that sounds like the wan.
If the sonicwall is doing the wan, then the LAN gateway should be left empty.
I believe that "access vlan 36" means its untagged 36 so that would be x0
Then your vlans should be subinterfaces, with vlan tags, but sill in the LAN zone if you don't need firewall rules.
Since the other port says to firewall, that sounds like the wan.
If the sonicwall is doing the wan, then the LAN gateway should be left empty.
ASKER
Yes they are sub interfaces.
I'm wondering if my mistake is further back in the setup. Based on the setup guide, I see that this should be setup in C mode - Layer 2 Bridge Mode. I used the wizard to configure it initially, but I'm not sure if I did that correctly. Should I be setting up the LAN interface as Layer 2 bridged mode?
Existing Internet gateway appliance SonicWALL NSA as replacement for an existing
gateway appliance.
A - NAT/Route Mode Gateway
SonicWALL NSA in addition to an existing
gateway appliance.
C - Layer 2 Bridge Mode
Is that why I'm not getting out from the other subinterfaces?
I included a rough diagram of the network if that helps. I'm trying to dump the Netgear.
Linx-Graph.jpg.pdf
I'm wondering if my mistake is further back in the setup. Based on the setup guide, I see that this should be setup in C mode - Layer 2 Bridge Mode. I used the wizard to configure it initially, but I'm not sure if I did that correctly. Should I be setting up the LAN interface as Layer 2 bridged mode?
Existing Internet gateway appliance SonicWALL NSA as replacement for an existing
gateway appliance.
A - NAT/Route Mode Gateway
SonicWALL NSA in addition to an existing
gateway appliance.
C - Layer 2 Bridge Mode
Is that why I'm not getting out from the other subinterfaces?
I included a rough diagram of the network if that helps. I'm trying to dump the Netgear.
Linx-Graph.jpg.pdf
If you have a different wan and LAN subnets, you don't want bridge mode.
So the way you have it now: what works and what doesn't work?
So the way you have it now: what works and what doesn't work?
ASKER
The 36.x addresses all work. Nothing else.
Ok. So let's get 37 working.
V37 should be a subinterface on x0
V37 should be tagged on the switchport going to x0
Find a port with pvid 37 and untagged 37 on the switch
Plug a laptop into that. You should be able to ping the sonicwall (37.1?)
If that all works, then it's just firewall rules from here
V37 should be a subinterface on x0
V37 should be tagged on the switchport going to x0
Find a port with pvid 37 and untagged 37 on the switch
Plug a laptop into that. You should be able to ping the sonicwall (37.1?)
If that all works, then it's just firewall rules from here
ASKER
I suspected rules during the last setup. I tried to add lan to wan any for the sub interface for 37.1 but it did not seem to help.
What do you suggest?
I will be on site tonight, to hopefully get this settled.
What do you suggest?
I will be on site tonight, to hopefully get this settled.
Anything on .37.x should have the sonicwall .37.1 as it's gateway. Is .37 in the LAN zone?
ASKER
Yes that was how I set it up.
Tracert google or something and see where it gird
ASKER
I'm concerned that the switch is not tagging the traffic properly or that I need to be plugged into port 1 with different settings coming out of the switch or different setting in the firewall for the lan properties.
I feel like there is something in the switch that is wrong. Since port 2 is in the 36.x lan is it correct that the lan port on the firewall should be plugged into a port that is trunking the traffic and including the tag for each vlan coming out of the switch?
I feel like there is something in the switch that is wrong. Since port 2 is in the 36.x lan is it correct that the lan port on the firewall should be plugged into a port that is trunking the traffic and including the tag for each vlan coming out of the switch?
Yes. If port 2 is x0 then it should be pvid 36, untagged 36, and tagged all the other vlans. If you can ping 37.1 and that's the sonicwall (unplug the somicwall and watch the pings stop) , that leads me to think the switch is setup correctly.
ASKER
Ok, so I have an assigned 36.180 address.
I can tracert/ping www.google.com no problem. I can ping 37.1 from here.
I can ping 36.1 as well.
I changed to a port on the 37.x network and got an address 37.5, now I cannot tracert www.google.com or the ip address returned when I had an address able to connect to the internet.
i can ping 37.1 (sonicwall) I unplugged the lan connection to the Sonicwall and I was still getting a ping response from 37.1. I think there is something really odd happening.
I can tracert/ping www.google.com no problem. I can ping 37.1 from here.
I can ping 36.1 as well.
I changed to a port on the 37.x network and got an address 37.5, now I cannot tracert www.google.com or the ip address returned when I had an address able to connect to the internet.
i can ping 37.1 (sonicwall) I unplugged the lan connection to the Sonicwall and I was still getting a ping response from 37.1. I think there is something really odd happening.
ASKER
So here is what seems to be working.
I have setup routes for 37.x 39.x and 42.x.
Source : ANY
Destination : Wireless VLAN (New address object, created as network, 192.168.37.0, 255.255.255.0)
Service : ANY
TOS/Mask : Any
Gateway : Catalyst Route (Points back to 192.168.36.2)
Interface : X0
Metric : 20
I set this up for each VLAN and removed the sub interfaces. This is working correctly. My guess the switch is not configured the way Sonicwall is expecting for this type of setup.
I have setup routes for 37.x 39.x and 42.x.
Source : ANY
Destination : Wireless VLAN (New address object, created as network, 192.168.37.0, 255.255.255.0)
Service : ANY
TOS/Mask : Any
Gateway : Catalyst Route (Points back to 192.168.36.2)
Interface : X0
Metric : 20
I set this up for each VLAN and removed the sub interfaces. This is working correctly. My guess the switch is not configured the way Sonicwall is expecting for this type of setup.
Whatever works is fine as you inherited this setup. Something this complex really should be documented better. If more than one layer3 device is routing it can be really difficult to track down.
FYI,
I got a response back from sonicwall. Apparently IP helper is just for forwarding broadcast packets which dns doesn't need anyway so I don't know why it's there.
Their solution to your original problem of not being able to use the sonicwall as a dhcp endpoint is to make a nat policy that forwards the dns requests to the right place:
I didn't try this yet, but it looks like it would work.
I got a response back from sonicwall. Apparently IP helper is just for forwarding broadcast packets which dns doesn't need anyway so I don't know why it's there.
Their solution to your original problem of not being able to use the sonicwall as a dhcp endpoint is to make a nat policy that forwards the dns requests to the right place:
We can try creating a NAT policy for diverting the DNS queries coming to sonicwall to the local DNS
Original source: Firewalled subnets
Translated source :original
Original destination: <sonicwall lan ip>
Translated destination: <ip of real dns server>
Original Service: DNS
Translated Service: original
Inbound Interface: any
Outbound Interface: any
I didn't try this yet, but it looks like it would work.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for mcioffi209's comment #a39940867
for the following reason:
Overall this was a spot on answer. In the situation I was in, it did not solve the overall problem, but is still valid for the original question asked.
Thank you for the support.
Accepted answer: 0 points for mcioffi209's comment #a39940867
for the following reason:
Overall this was a spot on answer. In the situation I was in, it did not solve the overall problem, but is still valid for the original question asked.
Thank you for the support.
It would be cleaner and scalable to use vlan tagging on one interface but I suppose your way works.
As some people can only see the accepted answer and assisted answers it would be helpful if you marked my helpful comments that way so someone else could follow with your solution.
As some people can only see the accepted answer and assisted answers it would be helpful if you marked my helpful comments that way so someone else could follow with your solution.
ASKER
Sure. I have another question about the situation and wonder if we should just continue this to see where it goes?
The way it is working now is not idea AT ALL. Currently we have to reboot the sonicwall every day, if not performance suffers.
After a reboot, going to a website is "zippy fast" to quote the customer. Pages load in seconds or less. After a day or so it gets slow. By slow they are seeing sites taking 15 - 20 - 30 even 45 seconds to a minute to bring up the home page. Speed tests show the download and upload speeds to be close to the speed they are paying for.
We think it might be due to some sort of loop or caching, but honestly I'm not sure. Clearing the ARP cache does not help.
So setting this up to route all traffic back to the switch port again seems to be causing issues. I need to figure out another solution in the Sonicwall or reprogram the catalyst switch to utilize the VLANS and tagging properly.
The way it is working now is not idea AT ALL. Currently we have to reboot the sonicwall every day, if not performance suffers.
After a reboot, going to a website is "zippy fast" to quote the customer. Pages load in seconds or less. After a day or so it gets slow. By slow they are seeing sites taking 15 - 20 - 30 even 45 seconds to a minute to bring up the home page. Speed tests show the download and upload speeds to be close to the speed they are paying for.
We think it might be due to some sort of loop or caching, but honestly I'm not sure. Clearing the ARP cache does not help.
So setting this up to route all traffic back to the switch port again seems to be causing issues. I need to figure out another solution in the Sonicwall or reprogram the catalyst switch to utilize the VLANS and tagging properly.
Yeah, I'd suggest putting a question here to the Cisco guys how to setup the ports correctly so sonicwall gets tagged packets for each vlan all on the same port.