trelectric
asked on
Wireless Network replacing a VPN Network problem
I have a rather complicated networking problem I would like some help and guidance on working with a remote location and phone media gateway. Currently, the networks are connected across town via VPN. We're looking to replace that connection with a pair of high power wireless bridges. Seems simple enough, until you get to the networking here...
Local Network
SonicWall NSA 240
192.168.1.X data
192.168.100.X voice
Remote Networks
SonicWall TZ180
192.168.3.X data
192.168.30.X voice
The VPN policies define local and destinations networks. There's a media gateway at 192.168.30.20 that communicates with the phone system at 192.168.100.20. This setup works fine except for the hit in performance at times.
I've went back and forth on implementation of the bridges. I want to run that network off the X2 port of the NSA240. Now, whether or not I tie the second bridge into the TZ180 or directly into the switch at the remote location is up for debate. It really depends on what's required for the networking here. Keep in mind the media gateway and managed switch has a route set back to the TZ180 at 192.168.3.2. (switch being at 192.168.3.1)
One way I thought about doing this is simply setting the X2 port of the NSA240 to 192.168.3.3, bridges at 192.168.3.10, .11 and tying directly into the switch. I didn't really *think* I need the TZ180... from the second bridge and having the gateway set to 192.168.3.3 I was able to communicate with 192.168.1.X, .100.X quite easily. But, obviously the media gateway and switch have that route set to 192.168.3.2 so they're not trying to communicate through the same network. I'd rather now mess with that configuration if I can help it for two reasons: a) I can utilize the old VPN policies as a fail over if my wireless network dies and b) at $120/hr for a 3rd party network tech, the boss is making me do this. So, if I can avoid it, reconfiguring that equipment might be best avoided.
So, I then came up with this plan... set the X2 port on the NSA240 to another network of 192.168.4.1 and setup the P2 port on the TZ180 to 192.168.4.2, bridges at 192.168.4.10, .11 respectively. This setup works fine but I need to emulate the routes that the VPN established. ie...
Local
192.168.100.0 --> 192.168.3.0
192.168.100.0 --> 192.168.30.0
192.168.1.0 --> 192.168.3.0
192.168.1.0 --> 192.168.30.0
gateway 192.168.4.2?
Remote
192.168.3.0 --> 192.168.100.0
192.168.30.0 --> 192.168.100.0
192.168.3.0 --> 192.168.1.0
192.168.30.0 --> 192.168.1.0
gateway 192.168.4.1?
I think my logic is correct here. But, this problem is a solid 9/10 so I need to be certain prior to trying to implement given that this is a required live office across town. The bridges are setup and function quite nicely. Proxim Tsunami MP-8150s. Tell me I'm either on the right track or nuts. I won't mind. :)
Local Network
SonicWall NSA 240
192.168.1.X data
192.168.100.X voice
Remote Networks
SonicWall TZ180
192.168.3.X data
192.168.30.X voice
The VPN policies define local and destinations networks. There's a media gateway at 192.168.30.20 that communicates with the phone system at 192.168.100.20. This setup works fine except for the hit in performance at times.
I've went back and forth on implementation of the bridges. I want to run that network off the X2 port of the NSA240. Now, whether or not I tie the second bridge into the TZ180 or directly into the switch at the remote location is up for debate. It really depends on what's required for the networking here. Keep in mind the media gateway and managed switch has a route set back to the TZ180 at 192.168.3.2. (switch being at 192.168.3.1)
One way I thought about doing this is simply setting the X2 port of the NSA240 to 192.168.3.3, bridges at 192.168.3.10, .11 and tying directly into the switch. I didn't really *think* I need the TZ180... from the second bridge and having the gateway set to 192.168.3.3 I was able to communicate with 192.168.1.X, .100.X quite easily. But, obviously the media gateway and switch have that route set to 192.168.3.2 so they're not trying to communicate through the same network. I'd rather now mess with that configuration if I can help it for two reasons: a) I can utilize the old VPN policies as a fail over if my wireless network dies and b) at $120/hr for a 3rd party network tech, the boss is making me do this. So, if I can avoid it, reconfiguring that equipment might be best avoided.
So, I then came up with this plan... set the X2 port on the NSA240 to another network of 192.168.4.1 and setup the P2 port on the TZ180 to 192.168.4.2, bridges at 192.168.4.10, .11 respectively. This setup works fine but I need to emulate the routes that the VPN established. ie...
Local
192.168.100.0 --> 192.168.3.0
192.168.100.0 --> 192.168.30.0
192.168.1.0 --> 192.168.3.0
192.168.1.0 --> 192.168.30.0
gateway 192.168.4.2?
Remote
192.168.3.0 --> 192.168.100.0
192.168.30.0 --> 192.168.100.0
192.168.3.0 --> 192.168.1.0
192.168.30.0 --> 192.168.1.0
gateway 192.168.4.1?
I think my logic is correct here. But, this problem is a solid 9/10 so I need to be certain prior to trying to implement given that this is a required live office across town. The bridges are setup and function quite nicely. Proxim Tsunami MP-8150s. Tell me I'm either on the right track or nuts. I won't mind. :)
digitap
to clarify, your final configuration is working fine, you just need some direction on setting up the vpn to provide failover, is that correct?
ASKER
After I reread that I should have clarified what I was looking for I guess...
No, I haven't implemented that configuration yet. I'd like to know if that looks correct. I obviously have to pick a good day to test this out since it'll require me downing that VPN connection. Black Friday next week looks like a good day. I just want a game plan going into playing around with this. Having an expert's approval in TCPIP would be reassuring.
As for the VPN failover... What is the easiest way to deal with that? By my estimations, I'll have to setup 4 routes at each end to cover the wireless replacement here. I'm assuming I'd have to delete, disable those routes in order to use the VPN as a failover. I guess it would be nice if SW provided a "disable" option on the route... suggestions?
No, I haven't implemented that configuration yet. I'd like to know if that looks correct. I obviously have to pick a good day to test this out since it'll require me downing that VPN connection. Black Friday next week looks like a good day. I just want a game plan going into playing around with this. Having an expert's approval in TCPIP would be reassuring.
As for the VPN failover... What is the easiest way to deal with that? By my estimations, I'll have to setup 4 routes at each end to cover the wireless replacement here. I'm assuming I'd have to delete, disable those routes in order to use the VPN as a failover. I guess it would be nice if SW provided a "disable" option on the route... suggestions?
ok...i understand.
you're IP infrastructure looks good in regards to putting the wireless network on it's own IP subnet, this will make routing easier. When you setup your routes, you'll want to designate the IP address for the sonicwall that manages those networks. So, your routes would look like this:
On the TZ180:
192.168.1.0/24 - 192.168.4.1
192.168.100.0/24 - 192.168.4.1
On the NSA240:
192.168.3.0/24 - 192.168.4.2
192.168.30.0/24 - 192.168.4.2
The wireless bridges will use their local sonicwall as the gateway. So:
192.168.4.10 will use 192.168.4.2 as it's gateway.
192.168.4.11 will use 192.168.4.1 as it's gateway.
Regarding failover, when you setup your routes, you can configure them to disable themselves when the interface is disconnected. now, this isn't the same as the wireless going offline. if the sonicwall still detects that the hardware is online, then it will seem that the interface is connected and try to route traffic out that interface despite the wireless connection being down. this could be a real bummer.
***CAUTION! HIGHLY THEORETICAL IDEA! NOT BEEN TESTED! PROCEED AT YOUR OWN RISK!!*****
i had another thought where you could setup a secondary gateway and use the failover function on the sonicwall. you can configure the sonicwall to monitor the connection. if it detects that the wireless connection is down, then it will switch over. however, this is more of a Primary WAN and Secondary WAN relationship. meaning, the wireless bridge would need to be your Primary gateway and your current Internet connection would need to be your secondary gateway. you might be able to do this, but it would require some real thought. you could set it up in this manner and configure a route to send all of your internet traffic out the secondary gateway. configure the VPN to use the interface you've attached the secondary (Internet) gateway to. setup your failover and begin monitoring the wireless bridge. if it goes down, then it might failover but I'm not sure what it will failover to. the routes will be changed to the secondary gateway and the only thing allowing this to function is the VPN so it MIGHT...I say again...MIGHT send the traffic over the VPN. You'd have to configure failover on both ends.
Anyway, for what it's worth, see below for a KB on how to configure a secondary gateway. I should not at this point that failover may be completely manual in that you'll have to disable your routes so the sonicwall sends the traffic over the VPN.
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7781
you're IP infrastructure looks good in regards to putting the wireless network on it's own IP subnet, this will make routing easier. When you setup your routes, you'll want to designate the IP address for the sonicwall that manages those networks. So, your routes would look like this:
On the TZ180:
192.168.1.0/24 - 192.168.4.1
192.168.100.0/24 - 192.168.4.1
On the NSA240:
192.168.3.0/24 - 192.168.4.2
192.168.30.0/24 - 192.168.4.2
The wireless bridges will use their local sonicwall as the gateway. So:
192.168.4.10 will use 192.168.4.2 as it's gateway.
192.168.4.11 will use 192.168.4.1 as it's gateway.
Regarding failover, when you setup your routes, you can configure them to disable themselves when the interface is disconnected. now, this isn't the same as the wireless going offline. if the sonicwall still detects that the hardware is online, then it will seem that the interface is connected and try to route traffic out that interface despite the wireless connection being down. this could be a real bummer.
***CAUTION! HIGHLY THEORETICAL IDEA! NOT BEEN TESTED! PROCEED AT YOUR OWN RISK!!*****
i had another thought where you could setup a secondary gateway and use the failover function on the sonicwall. you can configure the sonicwall to monitor the connection. if it detects that the wireless connection is down, then it will switch over. however, this is more of a Primary WAN and Secondary WAN relationship. meaning, the wireless bridge would need to be your Primary gateway and your current Internet connection would need to be your secondary gateway. you might be able to do this, but it would require some real thought. you could set it up in this manner and configure a route to send all of your internet traffic out the secondary gateway. configure the VPN to use the interface you've attached the secondary (Internet) gateway to. setup your failover and begin monitoring the wireless bridge. if it goes down, then it might failover but I'm not sure what it will failover to. the routes will be changed to the secondary gateway and the only thing allowing this to function is the VPN so it MIGHT...I say again...MIGHT send the traffic over the VPN. You'd have to configure failover on both ends.
Anyway, for what it's worth, see below for a KB on how to configure a secondary gateway. I should not at this point that failover may be completely manual in that you'll have to disable your routes so the sonicwall sends the traffic over the VPN.
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7781
another blip on my radar that i just realized, i don't think the TZ180 will have any trouble with the routing, but if you get lots of traffic going through the 180, it might become a bottleneck. if you have a layer 3 switch (router) you could use that to route traffic instead, but it becomes increasingly more difficult to implement failover.
this was a minor concern to keep in the back of your mind. if you end up with slow network challenges, you might consider this in your troubleshooting.
this was a minor concern to keep in the back of your mind. if you end up with slow network challenges, you might consider this in your troubleshooting.
ASKER
Thanks. Lots of good information there. Will note the capacity on the TX180. I'll just upgrade it if it becomes an issue.
Just because this gets a bit confusing on SWs object oriented model I also want to clarify exactly what I need in the route. I understand the routes. But, where I get stumped is on the Interface whether that needs to be configured to the interface for the LAN or the new wireless LAN...
NSA240 Interfaces
X0 LAN 192.168.1.3
X1 WAN <WAN IP>
X2 LAN 192.168.4.1
Route for 192.168.100.0 exists, points to a Layer 2 switch for the voice traffic
TZ180 Interfaces
P5 LAN 192.168.3.2
P2 LAN 192.168.4.2
WAN WAN <WAN IP>
Route for 192.168.30.0 exists, points to a Layer 2 switch for voice traffic
So...
add these routes to the NSA240:
Source: ANY
Destination: 192.168.3.0
Service: ANY
Gateway: 192.168.4.1
Interface: X0 <--- this is where I get confused, X0 or X2?
repeat for 192.168.30.0
add these routes to the TZ180:
Source: ANY
Destination: 192.168.1.0
Service: ANY
Gateway: 192.168.4.2
Interface: LAN (P5) <--- again, this is where I get confused, P2 or LAN(P5)?
repeat for 192.168.100.0
Thanks again
Just because this gets a bit confusing on SWs object oriented model I also want to clarify exactly what I need in the route. I understand the routes. But, where I get stumped is on the Interface whether that needs to be configured to the interface for the LAN or the new wireless LAN...
NSA240 Interfaces
X0 LAN 192.168.1.3
X1 WAN <WAN IP>
X2 LAN 192.168.4.1
Route for 192.168.100.0 exists, points to a Layer 2 switch for the voice traffic
TZ180 Interfaces
P5 LAN 192.168.3.2
P2 LAN 192.168.4.2
WAN WAN <WAN IP>
Route for 192.168.30.0 exists, points to a Layer 2 switch for voice traffic
So...
add these routes to the NSA240:
Source: ANY
Destination: 192.168.3.0
Service: ANY
Gateway: 192.168.4.1
Interface: X0 <--- this is where I get confused, X0 or X2?
repeat for 192.168.30.0
add these routes to the TZ180:
Source: ANY
Destination: 192.168.1.0
Service: ANY
Gateway: 192.168.4.2
Interface: LAN (P5) <--- again, this is where I get confused, P2 or LAN(P5)?
repeat for 192.168.100.0
Thanks again
ASKER
sorry... flopped the gateways around there... should be...
add these routes to the NSA240:
Source: ANY
Destination: 192.168.3.0
Service: ANY
Gateway: 192.168.4.2
Interface: X0 <--- this is where I get confused, X0 or X2?
repeat for 192.168.30.0
add these routes to the TZ180:
Source: ANY
Destination: 192.168.1.0
Service: ANY
Gateway: 192.168.4.1
Interface: LAN (P5) <--- again, this is where I get confused, P2 or LAN(P5)?
repeat for 192.168.100.0
add these routes to the NSA240:
Source: ANY
Destination: 192.168.3.0
Service: ANY
Gateway: 192.168.4.2
Interface: X0 <--- this is where I get confused, X0 or X2?
repeat for 192.168.30.0
add these routes to the TZ180:
Source: ANY
Destination: 192.168.1.0
Service: ANY
Gateway: 192.168.4.1
Interface: LAN (P5) <--- again, this is where I get confused, P2 or LAN(P5)?
repeat for 192.168.100.0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Worked like a champ! Phone quality is soooo much better now. Thanks a bunch.
you're welcome. glad i could help and thanks for the points!