Follow up to "SonicWall, Route certain IPs to different Interfaces"

Maximus54
Maximus54 used Ask the Experts™
on
So Digitap, I setup 2 routes like you told me to but it is not working . Here is what I did
I created a new zone called WAN2, linked an Interface with the WAN2 zone and I gave it a public IP address. I then created 2 different address groups, configured both as ranges of LAN ip addresses, and then configured each range of IP addresses to go out through 2 different Interfaces. After I hooked everything up, everything is still going out the first default gateway. Therefore am I missing a step. Since there is no link on WAN2, am I supposed to configure that differently. The 2 gateways have been configured on the Cisco router, the firewall is just supposed to indicate which IP addresses go out on which internet gateway.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010

Commented:
Sorry for the delay.  I didn't see this as a separate question.

When you view the list of static routes, where are your new routes relative to the default 0.0.0.0 route?  Precedence plays a large part here.  If you want your custom routes to be considered first, then you'll want to put them BEFORE the default.  Also, is the gateway of one of your static routes and the default route the same?  If so, then you only need to make the one static route take precedence over the default route.

Author

Commented:
We have this discussion going on in 2 different places so let us continue it here from now on.  The old question you asked me was ..
"Did you make sure the static route you made comes BEFORE the default gateway route?  you can move them up in the list."
       Well I setup 2 static routes with each subnet going to 2 different gateways but the fact that there is no second cable linked to the second interface is not likely for this configuration to work. I am thinking about defining one subnet to go out one gateway and not specifying the second one so as to force ti through the default.

And for the second question where you say that I should "...make the one static route take precedence over the default route...."

The problem with this is that I only have 1 WAN link so if I configure just one subnet to use a specific IP, Don't I have to associate that with a specific one interface which will be my WAN gateway?
Top Expert 2010

Commented:
ok...i know some things have changed in the original hardware configuration.  So, let's re-establish the primary goal.  What, ultimately do you want to do?
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Author

Commented:
Ok I have a network with workstations and Servers, I have one firewall and one router. I have two different internet connections (2 ISP). Currently we have a PIX firewall that routes the servers (10.10.10.2 - 10.10.10.100) to one gateway and the workstations (10.10.10.101 - 10.10.10.254) to another gateway. Our current LAN Gateway address is 10.10.10.1. The router is configured with 2 different interfaces(2 WAN Gateways) but the PIX does not mention anything about the second gateway. I am in the process of switching the PIX for the SonicWall PRO 4100 and I would like to know how to route the different traffics to the different internet Gateways. I hope that this is clearer now.
Top Expert 2010

Commented:
Yes...I see that you want to remove the PIX and install the 4100.  This is the part that was lost to me...for some reason.

OK, you want to add a secondary gateway and send some hosts out the primary gateway and some hosts out the secondary gateway.  First, we need to create the secondary gateway.  Here are the steps to do that.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7781

Then, you need to setup a route for the hosts that will need to use the secondary gateway only.  Click Network > Routing and Add.  In the Source, choose the address objects that will use the secondary gateway.  In the Destination, choose Any.  In the Service, choose Any.  As the Gateway, choose the address object that represents your seondary gateway.  In the interface, select the physical interface you configured as the secondary gateway.  Now, there is a check box that indicates if the port is disconnected, then disable the rule.  You'll want to remove the check box if you want to test AND you don't have the secondary gateway connected yet.
greenshot-2010-07-02-11-19-42.jpg

Author

Commented:
Everything that you mentioned I already did except for the fact that I configured the secondary WAN as WAN2 which did not give me the rest of the configuration option so that is great. The problem I foresee with this configuration, since I cannot test it until I notify the users that the network is going to be temporarily down, is that they secondary Gateway is not going to be linked with any cable and thus will not route any traffic, isn't that correct?
Somehow on the Cisco PIX Static routes are specified for 2 different gateways but there is only one link from the PIX to the router.

Author

Commented:
Oh actually after further reading your comments I did configure the secondary gateway differently, under 'Destination' I had the secondary WAN physical port listed instead of ' any' and I again had the X2 interface configured under Gateway instead of the the 'Secondary Default Gateway'  so I will try this different configuration and let you know if it works this weekend. Thank you very much and have a great 4th of July.
Top Expert 2010

Commented:
If there is no link (whether you check the "disable route when the interface is disconnected" or not) traffic will not route.  Essentially, those hosts will not have Internet.

Now, when you say the PIX to the router, is the router the one provided by your ISP?  Do you physically have two ISP connections or has your ISP given you a different IP space on the Internet?

Author

Commented:
No we have 2 ISP connections, one with Verizon and another one with another company, they each have different IP addresses. The router belongs to us and we can configure it as we want. We have the 2 interfaces on the router configured  to each go with the different ISP gateway addresses.
What's boggling me is that the PIX does not have any configuration entry of the second interface, it is as if  it routes all traffic from .2 through .100 IP addresses to use one interface and the others to find whatever other interface they find. Strange.
Top Expert 2010

Commented:
what router do you have between the PIX and the ISPs?  is it load balancing?  why do you have it?  why don't you connect the sonicwall directly to the ISPs routers?
Top Expert 2010

Commented:
does the PIX identify the ISPs gateway or does it specify something else.  if you have a router between the ISPs and the PIX, then there'd be another IP network between the PIX and your router.  Otherwise, your router would need to be in bridge mode or something similar allowing the traffic through without NAT'ing, etc.

Author

Commented:
I hope you had a great 4th, sorry to get back to this late. The only router that sits between the ISP line and our PIX is our own Cisco 2600 router. From the router comes 2 lines, one to the first ISP and the other to the other one. But from  the PIX only comes one that is connected to the Router. The clients currently use one gateways and the server the other and i am not sure how the Cisco PIX  does it without 2 gateway interfaces
Top Expert 2010

Commented:
I'm sure there are two gateways on the 2600 and the PIX sends to the single single gateway that IS the 2600.  The 2600 then sorts it out.  In any event, it sounds as if you can replace BOTH the 2600 AND the PIX with your sonicwall.  Configured the standard WAN interface for ISP1 and then configure a secondary gateway for ISP2.  Then, let your sonicwall perform ALL the routing.

Unless the 2600 has a T-1 WIC and MUST be there, then this might make the simplest solution.  However, IF you do need the 2600, then simply replace the PIX and configure the WAN interface of the sonicwall with the SAME settings as the PIX.  I'm sure the 2600 is routing the traffic accordingly which would mean you'd need to modify the routes on the 2600 if you wanted to route your hosts per your original question.
Top Expert 2010

Commented:
Also, I did have a great 4th!  Hope yours went well too!!

Author

Commented:
Yes the router does have two gateways and does have each interface configured with the different ISP WAN IP addresses and it does have a DSU/CSU card that is used to connect to one ISP so I can't take it out completely.
The PIX does have a configuration entry indicating which IP addresses are allowed to go through the first interface (SERVERS) but not saying anything about the rest of the IP addresses and no mention of the second ISP gateway address. When I replaced the PIX for the SonicWall, traffic was only flowing through one gateway. I won't be able to test it for a couple of days unfortunately so I will let you know the next time I do so. Thanks.

Author

Commented:
Yes the router does have two gateways and does have each interface configured with the different ISP WAN IP addresses and it does have a DSU/CSU card that is used to connect to one ISP so I can't take it out completely.
The PIX does have a configuration entry indicating which IP addresses are allowed to go through the first interface (SERVERS) but not saying anything about the rest of the IP addresses and no mention of the second ISP gateway address. When I replaced the PIX for the SonicWall, traffic was only flowing through one gateway. I won't be able to test it for a couple of days unfortunately so I will let you know the next time I do so. Thanks.
Top Expert 2010
Commented:
That's very strange.  The 2600 must have a route configured on it too.  It's the only plausible answer.  I know Cisco appliances are magical, but this is getting ridiculous.

I suppose the 2600 doesn't have to route for both.  If one of the ISPs doesn't utilize particular hardware within the 2600, you could move it to the sonicwall.  This would solve your problem.

Author

Commented:
Yes one of the ISP connections does not use a T1 CSU/DSU card. I did not know that I can just link my SonicWall interface directly into the ISP link without a router, if I can do that then that might just be the solution. I will try that tomorrow. Thanks.
Top Expert 2010

Commented:
yup, it sure can!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial