Solved

Sonicwall to Sonicpoints thru Netgear GS724tv3 switches.

Posted on 2010-08-18
51
2,473 Views
Last Modified: 2012-10-10
Hi all,

I need to find a solution - I have two NetGear GS724tv3 switches that are not trunked together,
just a single CAT5 connects them.  Our internet connection is just a Sonicwall PRO 4060, which
is connected to the server room switch.  We'd like to install two Sonicpoint WAPs to an open
interface on the Sonicwall, and have internet for our admin people and guests without their
traffic seeing our internal LAN, except for the employees - they would VPN in like they were
connecting for home/outisde location.

Can this be done?  I know Sonicwall says yes, but cannot explain how to do so clearly on their
PRO 4060.  I think I got 90% there, as I can see the one Sonicpoint when directly connecting it to
the port on the Sonicwall - but it does not give an IP out so unless so far.  What is missing?

And the second part is - how do I configure the VLAN on the NetGear, and get that second switch
to make a port part of this VLAN on switch1?
0
Comment
Question by:Woggy64
  • 26
  • 25
51 Comments
 
LVL 33

Expert Comment

by:digitap
Comment Utility
I've done this multiple times.  It can get confusing if you as you must create sonicpoint virtual profiles in order to have two SSIDs (admin and guest).  Additionally, you must create a VLAN for each.  I can help you with this.  What have you configured thus far on the sonicwall?  Here is an article that I use regularly when setting up multiple virtual profiles.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5798

Which sonicpoints do you have?  The new ones do NOT come with a power supply so you must use a PoE switch or purchase a PoE injector.  If you have an injector, it might be easier to get an inexpensive swtich to connect the sonicpoints to the WLAN interface on the sonicwall.  If you don not, then you'll need to carve out a couple of ports that support the two VLANs (guest and admin) that you'll create on the sonicwall.  The key to the VLANs on the switch is to remove those ports from the default VLAN and tag them as members of both VLANs that you create on the switch.  When you get that far, I can help you set those up.
0
 

Author Comment

by:Woggy64
Comment Utility
I've only configured the X5 interface on the 4060 for wireless and named the SSID and assigned it an IP address.   Which I know much more is needed to be done to get it going.

But my concern is the second Sonicpoint (they are the new ones -SonicpointNs with the power injector - can this be off a different Netgear switch in another part of the building?   Our concern is getting this second location in the same VLAN with the NetGear switch in the server room.

0
 

Author Comment

by:Woggy64
Comment Utility
And thanks for the link.  I'm going to follow it thru and respond.   It looks like what I need (and now I wonder why Sonicwall support could not have just sent me this).  Thanks!
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
The link is top secret, so please share it with your friends!!

Do all your switches terminate in the same location?  You mentioned an uplink between your two switches.  Are the two switches not in the same area of the building?

If not, then what I think you'll need to do is make the uplink an untagged member of the sonicwall VLANs.  This way, they'll pass the traffic, but not let it mingle with the default VLAN traffic which is your LAN traffic.  We may just need to read through the netgear manual re: the VLAN stuff.
0
 

Author Comment

by:Woggy64
Comment Utility
That's it - the second switch (and Sonicpoint) will be in the middle of the plant, and that's the one question I had - whether that switch could pass traffic to the VLAN to the Sonicwall/Sonicpoint setup on the switch in the server room.    And this is the only switch in this location, so it's first duty is the equipment in those offices, but needed to see if a single port on that switch would be able to be part of the VLAN on the first switch, leaving the other ports on our regular LAN.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
In general, if a port is a tagged member of a VLAN, it will see that traffic.  If it's an untagged member of a VLAN, it'll just pass that traffic.  Check out page 74 of the manual to see how to configure a VLAN, membership and tagging for a port or multiple ports.  The VLAN section is on page 74 of the PDF.  I'm heading to lunch, but quickly looked at the manual and it's implementing a standard VLAN and not same crazy variation of it.

ftp://downloads.netgear.com/files/GS716Tv2_GS724Tv3_usermanual.pdf
0
 

Author Comment

by:Woggy64
Comment Utility
Thanks - I haven't ventured that far out yet to the NetGear section.  I'm folowing the Sonic Wall info and believe I followed it point by point.   But while I'm now able to connect to the SonicpointN with my notebook and get an IP from it, I don't get anywhere, like internet access.   About to try local LAN resource to see if I get them (servers, printer, etc.).

I figured I'd setup the Sonicpoint seperately, check their performance, then add the NetGear VLANs and move the Sonicpoint out to their location after that.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
make sure you get the firewall access rules setup properly...i can't remember if thats part of the instructions.  also, check the dns settings of the wlan dhcp scope and make sure the wireless host is getting a good dns server.
0
 

Author Comment

by:Woggy64
Comment Utility
Not part of the instructions, but doing a search for the intructions now.   I gather this needs the outside DNS?  Not our internal DNS & WINS servers?
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
Comment Utility
you'll want to use the internal dns for the admin vlan and a public dns for the guest vlan...something like 4.2.2.2 is what i use often.
0
 

Author Closing Comment

by:Woggy64
Comment Utility
Perfect, exactly the information I needed to complete this - up and running now.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Great!  If you have questions about the VLAN stuff, just post back to this question.  Thanks for the points!
0
 

Author Comment

by:Woggy64
Comment Utility
Ok, all weekend I tired do the VLANs on the Netgear, but no dice.   If I plug the SonicpointN's directly into the X5 interface, they work.  
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
OK...initially, you'll have two ports configured on the switch where the sonicwall and sonicpoint connect.  Create two VLANs naming them with the VLAN IDs you used on the sonicwall.  You want to make both ports "tagged" AND "members" of both VLANs.  You want to remove any tag or membership for these two ports from the default VLAN.  The idea here is you are making a virtual switch out of these ports using VLANs where, normally, you would have used a physical switch.

Configure this on the switch, connect the sonicwall's X5 port and the one Sonicpoint to the designated switch ports.  Let's get this working then we'll worry about the other sonicpoint on the other switch over the uplink...OK?
0
 

Author Comment

by:Woggy64
Comment Utility
Ok, this is where I may have gone wrong - I created a single VLAN and placed all three ports on this switch that were to be for the Sonicwall.  Port 2, 3 & 4 on the Netgear were tagged as members of VLAN5.    Port 2 was coming in from the sonicwall, and then I had both sonicpoints in the other two (I will eventually have three sonicpoint - but third will be later and using this port).

So, I need seperate VLANs for each port for this?
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
You need a VLAN for each virtual sonicpoint that you create.  You want an Admin and a Guest.  In order to get the appropriate IP address for whichever you connect to, you need to have a VLAN assignment for each.  When you are viewing the Network > Interfaces, you'll add an interface to X5 (which should be assigned the WLAN zone).  When you do this, you'll give it a VLAN ID and the appropriate IP subnet assignment.  When you finish adding the new interface, the Sonicwall will create a new DHCP scope assigned to this VLAN interface.  If you want to assign a laptop to the guest network, then they merely authenticate to the guest virtual sonicpoint and will get an IP assigned by that respective DHCP server.  In order for the switch to allow assigning an IP on either the Admin or Guest, all the ports on the switch must be a member and tagged for both VLANs.

The VLAN IDs you assign the Guest and Admin interfaces, should be what you use when you create the VLANs on the switch.

It's confusing.  I've always used a separate physical switch for my sonicpoints, but I recently upgraded a client and installed a PoE switch.  I had to call Sonicwall support to get the VLAN configuration steps.
0
 

Author Comment

by:Woggy64
Comment Utility
Ah, you're talking about the Sonicwall, while I am lost on the VLAN configuration on the Netgear switches.

For the Netgear - I only need to create a single VLAN and tag those three port I need on this VLAN in my server room, then worry about the one port on the remote switch.  Sound right?
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Have you created the two VLANs on the sonicwall yet?  If so, you'll want to create those two not just the one.  See the screen shot below.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
oops...forgot screen shot.
greenshot-2010-08-23-16-17-17.jpg
0
 

Author Comment

by:Woggy64
Comment Utility
Ok, two VLANs done on the sonicwall.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
OK...now, how are your sonicpoints configured?  do you have a VAP for guests and a VAP for Admin?
0
 

Author Comment

by:Woggy64
Comment Utility
Yes, WLAN-Guest and WLAN-Corp
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
OK...what VLAN IDs have you assigned the two interfaces on your sonicwall?  Have you created any VLANs on your switch yet?
0
 

Author Comment

by:Woggy64
Comment Utility
X5 is the WLAN
X5:V50 is WLAN-Corp
X5:V55 is WLAN-Guest

On the Netgear, I created VLAN5 and tagged ports 2,3, & 4 as VLAN5 members (I think)
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
On the netgear, you need to create two VLANs.  Name them 50 and 55.  Then, make ports 2, 3, and 4 tagged members of both VLANs 50 and 55.

I'm getting ready to head home for the day, so my responses my become spotty.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Woggy64
Comment Utility
Ok, I'm grateful for all the help.

I think I should be able to do this on these switch, but would I create a port on the remote switch and then tag it to the same VLAN numbers from the server room switch?  i.e a single port on remote switch with both VLANs tagged to that port?
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
On the other switch, you'll create the same two VLANs and configure a single port as you have done with the other switch.  Additionally, the port that provides the uplink on both switches, you'll want to make the uplink ports UNTAGGED members of both VLANs.
0
 

Author Comment

by:Woggy64
Comment Utility
Great, thank you so much.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
you bet...talk to you soon and good luck!
0
 

Author Comment

by:Woggy64
Comment Utility
100% up and running now, on both Sonicpoints.

I did discover there was another Netgear switch in between the IDF & MDF, so I configured that switch's uplink ports to be untagged in both of the VLANs.

Thank you very much!  
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
You're welcome!  These things can be complicated enough...glad I could help you sort it out.
0
 

Author Comment

by:Woggy64
Comment Utility
Guess I spoke too soon.   The remote Sonicpoint, while it talks to the Sonicwall, it's not passing traffic from the notebooks, they'll connect but limited access (basically they connect then get no further).

I did swap the Sonicpoints, and the proble stays at the remote side, not with the Sonicpoint.

Weird - becuase the sonicpoint will boot, get an ip from the sonicwall, and then you can manage it from the sonicwall.  

It's got to be something on the sonicwall itself then?
0
 

Author Comment

by:Woggy64
Comment Utility
Confirmed the Sonicwall & Sonicpoints are ok - all work off the same switch in the server room.

New thread/topic for this now?  It's solely a NetGear issue now.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
yes...sorry, i'm back now.  it would be a netgear issue.  what ip do your sonicpoints get on the switch that connect via the uplink?
0
 

Author Comment

by:Woggy64
Comment Utility
The sonicpoints themselves get an 172.16.31.247 & 172.16.31.248 as the WLAN interface on the Sonicwall is set for 172.16.31.1.

It has me wondering, as when I connect the Sonicpoint out on the remote switch, I can watch is boot on the Sonicwall and get an IP on the 172.16.31.XX scheme.   But just does not seem to work, but when I walk it bvack to the server room and connect into the extra port in the VLAN, it works just fine.   If I disco the other Sonicpoint and walk it back, I can also watch it boot up and connect on the Sonicwall, but again - no access after connecting to it with a notebook.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Ok...when you connect the sonicpoint to the WLAN interface, what IP address is it getting?

What I'm proposing is the two VLANs for admin and gues are NOT being routed properly over the uplink.  i'll need to review my switches here to confirm i've got the correct tag/untagged/membership combination right.  give me some time.  coming up on the end of the day and i have to finish some "job" related stuff....you know, the part of my life that pays the bills...>GRIN<!
0
 

Author Comment

by:Woggy64
Comment Utility
LOL - I'm thinking - do I need three VLANs on the Netgear switches?   Once for the actual hardware (172.16.31.XX network), then the original other two VLANs for the Virtual VLANs (the corp 172.16.50.XX and the guest 172.16.55.XX)?

The sonicpoints themselves get a 172.16.31.XX address, from the X5 interface on the Sonicwall, which is set to 172.16.31.XX
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Yes, you are correct sir.  I just reviewed my switch.  I have three VLANs configured.  I have attached a screen shot.  I created a VLAN 500 and made the designated ports untagged members of those ports.  Since I havn't marked the default WLAN traffic as VLAN 500, I don't want to tag it.  The other ports, I make them tagged members of my two VLANs, 21/22.  So, your uplink ports will need to untagged members of all the VLANs they need to pass traffic for.  On the uplink switch, you'll make your single port a tagged member of both VLANs and an untagged member of the default WLAN traffic.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
oops...screen shot.
greenshot-2010-08-24-16-57-52.jpg
0
 

Author Comment

by:Woggy64
Comment Utility
When you say uplink switch, you talking about the switch in the server room that connects to the Sonicwall X5 interface? (Sorry - long day - brain is about dead here:P)
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
no, it's the switch that the single sonicpoint will connect to that's located away from the server room...no worries, feel the same
0
 

Author Comment

by:Woggy64
Comment Utility
MDF Switch:
      VLAN31-Sonicwall WLAN:

      Port02-Untagged      -goes to X5 interface on Sonicwall
      Port03-Untagged      -goes to Sonicpoint
      Port04-Untagged      -empty (future use Sonicpoint)
      Port05-Untagged      -goes out to Port01 on IDF-2 Switch

      VLAN50-WLAN-Corp:

      Port02-Untagged
      Port03-Tagged
      Port04-Tagged
      Port05-Untagged

      VLAN55-WLAN-Guest:

      Port02-Untagged
      Port03-Tagged
      Port04-Tagged
      Port05-Untagged

IDF-2 switch:

      VLAN31-Sonicwall WLAN:

      Port01-Untagged      -goes to MDF Switch Port05
      Port03-Untagged      -goes to IDF-4 Switch Port01

      VLAN50-WLAN-Corp:

      Port01-Untagged
      Port03-Untagged

      VLAN55-WLAN-Guest:

      Port01-Untagged
      Port03-Untagged

IDF-4 switch:

      VLAN31-Sonicwall WLAN:
      
      Port01-Untagged      -goes to IDF-2 Switch Port03
      Port02-Untagged      -goes to Sonicpoint

      VLAN50-WLAN-Corp:
      
      Port01-Untagged
      Port02-Tagged

      VLAN55-WLAN-Guest:
      
      Port01-Untagged
      Port02-Tagged

Should it look like this?   I'm still not working on the far end, but about to confirm these are the settings on all three switches.
0
 

Author Comment

by:Woggy64
Comment Utility
Sorry - correction to the above - on MDF Switch VLAN50 & VLAN55 Port02 is tagged, not untagged.

This has the one sonicpoint on this switch up and out to the internet.   The sonicpoint on IDF-4 switch Port02 still not sending out to the internet, it just connects to the notebook and nothing else - yet I can see the connection on the sonicwall for this notebook.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
So, your laptop is getting an IP address?  Which switch is routing the sonicpoint traffic properly?
0
 

Author Comment

by:Woggy64
Comment Utility
Laptop is getting correct IP.  Sonicpoint in mdf switch works but not remote sonicpoint.   But each sonicpoint will issue good IP.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
You've been referencing just two switches, but I see three switches in your VLAN configuration.  I'm getting confused by that.

So, laptops getting an IP on the MDF (main switch in the server room where the sonicwall is) can ping local hosts and get to the Internet, right?

Laptops that are connecting to sonicpoints on the remote switches are getting a proper IP address, but are not routing....essentially, they can't get to the Internet and are not able to ping local hosts, right?

Are all the switches the same model?
0
 

Author Comment

by:Woggy64
Comment Utility
All the switches are NetGear GS724Tv3's.   I found the third switch while tracing the cabling (nothing was marked/labeled - and they have no map of anything here).

Everything wired in the MDF, and other IDFs, work just fine.   And the one Sonicpoint that connects in the MDF works as planned on the guest WiFi - they get out to the internet with no local access.   It's the remote Sonicpoint that while I can see it on the Sonicwall admin interface and see client notebooks connect to it - it does not let them out on the internet (or anywhere).

Yet I can disco the working Sonicpoint, walk it back to the remote IDF, swap it out with the other and see it bootup on the sonicwall and clients connect, but no internet.  I walk the remote sonicpoint up to the MDF, connect it to the switch in there, and can see it bootup and clients connect and get out on the internet.

Something in the way I have configured the VLANs is stopping this traffic on the 172.16.50.XX (corp) and 172.16.55.XX (guest) VLANs, but the 172.16.31.XX VLAN is working out to the remote side.  Which is why I can talk to the sonicpoint itself (on 31.XX), but the client notebooks can not pass traffic thru it to the MDF switch on those two VLANs (55.XX & 50.XX).

0
 

Author Comment

by:Woggy64
Comment Utility
I got it now - was confused on the tagging vs untagging and had a few backwards.   Here is the correct
configuration that works for me now:

MDF Switch:
      VLAN31-Sonicwall WLAN:

      Port02-Untagged      -goes to X5 interface on Sonicwall
      Port03-Untagged      -goes to Sonicpoint
      Port04-Untagged      -empty (future use Sonicpoint)
      Port05-Untagged      -goes out to Port01 on IDF-2 Switch

      VLAN50-WLAN-Corp:

      Port02-Untagged
      Port03-Tagged
      Port04-Tagged
      Port05-Tagged

      VLAN55-WLAN-Guest:

      Port02-Untagged
      Port03-Tagged
      Port04-Tagged
      Port05-Tagged

IDF-2 switch:

      VLAN31-Sonicwall WLAN:

      Port01-Untagged      -goes to MDF Switch Port05
      Port03-Untagged      -goes to IDF-4 Switch Port01

      VLAN50-WLAN-Corp:

      Port01-Tagged
      Port03-Tagged

      VLAN55-WLAN-Guest:

      Port01-Tagged
      Port03-Tagged

IDF-4 switch:

      VLAN31-Sonicwall WLAN:
     
      Port01-Untagged      -goes to IDF-2 Switch Port03
      Port02-Untagged      -goes to Sonicpoint

      VLAN50-WLAN-Corp:
     
      Port01-Tagged
      Port02-Tagged

      VLAN55-WLAN-Guest:
     
      Port01-Tagged
      Port02-Tagged

0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Sorry...I didn't see your post on 8/25.  I thought you'd given up the quest all together...glad to see you stuck it out and got it working!  You're config looks perfect!
0
 

Author Comment

by:Woggy64
Comment Utility
LOL - thanks for the help.  I had no choice but to make it work :)  

You gave me enough information, I just had to re-read it and think about it.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
yes...VLANs can be complicated especially if you span multiple switches.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now