Solved

Wireless Network replacing a VPN Network problem

Posted on 2010-11-18
9
536 Views
Last Modified: 2012-05-10
I have a rather complicated networking problem I would like some help and guidance on working with a remote location and phone media gateway.  Currently, the networks are connected across town via VPN.   We're looking to replace that connection with a pair of high power wireless bridges.  Seems simple enough, until you get to the networking here...

Local Network
SonicWall NSA 240
192.168.1.X  data
192.168.100.X       voice

Remote Networks
SonicWall TZ180
192.168.3.X  data
192.168.30.X  voice

The VPN policies define local and destinations networks.  There's a media gateway at 192.168.30.20 that communicates with the phone system at 192.168.100.20.   This setup works fine except for the hit in performance at times.  

I've went back and forth on implementation of the bridges.  I want to run that network off the X2 port of the NSA240.  Now, whether or not I tie the second bridge into the TZ180 or directly into the switch at the remote location is up for debate.  It really depends on what's required for the networking here.  Keep in mind the media gateway and managed switch has a route set back to the TZ180 at 192.168.3.2.  (switch being at 192.168.3.1)

One way I thought about doing this is simply setting the X2 port of the NSA240 to 192.168.3.3, bridges at 192.168.3.10, .11 and tying directly into the switch.  I didn't really *think* I need the TZ180... from the second bridge and having the gateway set to 192.168.3.3 I was able to communicate with 192.168.1.X, .100.X quite easily.  But, obviously the media gateway and switch have that route set to 192.168.3.2 so they're not trying to  communicate through the same network.  I'd rather now mess with that configuration if I can help it for two reasons: a) I can utilize the old VPN policies as a fail over if my wireless network dies and b)  at $120/hr for a 3rd party network tech, the boss is making me do this.   So, if I can avoid it, reconfiguring that equipment might be best avoided.  

So, I then came up with this plan... set the X2 port on the NSA240 to another network of 192.168.4.1 and setup the P2 port on the TZ180 to 192.168.4.2, bridges at 192.168.4.10, .11 respectively.  This setup works fine but I need to emulate the routes that the VPN established.  ie...

Local
192.168.100.0 --> 192.168.3.0
192.168.100.0 --> 192.168.30.0
192.168.1.0 --> 192.168.3.0
192.168.1.0 --> 192.168.30.0
gateway 192.168.4.2?

Remote
192.168.3.0 --> 192.168.100.0
192.168.30.0 --> 192.168.100.0
192.168.3.0 --> 192.168.1.0
192.168.30.0 --> 192.168.1.0
gateway 192.168.4.1?


I think my logic is correct here.  But, this problem is a solid 9/10 so I need to be certain prior to trying to implement given that this is a required live office across town.  The bridges are setup and function quite nicely.  Proxim Tsunami MP-8150s.  Tell me I'm either on the right track or nuts.  I won't mind.  :)
0
Comment
Question by:trelectric
  • 5
  • 4
9 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34170402
to clarify, your final configuration is working fine, you just need some direction on setting up the vpn to provide failover, is that correct?
0
 

Author Comment

by:trelectric
ID: 34172888
After I reread that I should have clarified what I was looking for I guess...

No, I haven't implemented that configuration yet.  I'd like to know if that looks correct.  I obviously have to pick a good day to test this out since it'll require me downing that VPN connection.  Black Friday next week looks like a good day.  I just want a game plan going into playing around with this.  Having an expert's approval in TCPIP would be reassuring.  

As for the VPN failover... What is the easiest way to deal with that?  By my estimations, I'll have to setup 4 routes at each end to cover the wireless replacement here.  I'm assuming I'd have to delete, disable those routes in order to use the VPN as a failover.  I guess it would be nice if SW provided a "disable" option on the route... suggestions?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34173744
ok...i understand.

you're IP infrastructure looks good in regards to putting the wireless network on it's own IP subnet, this will make routing easier.  When you setup your routes, you'll want to designate the IP address for the sonicwall that manages those networks.  So, your routes would look like this:

On the TZ180:

192.168.1.0/24 - 192.168.4.1
192.168.100.0/24 - 192.168.4.1

On the NSA240:

192.168.3.0/24 - 192.168.4.2
192.168.30.0/24 - 192.168.4.2

The wireless bridges will use their local sonicwall as the gateway.  So:

192.168.4.10 will use 192.168.4.2 as it's gateway.
192.168.4.11 will use 192.168.4.1 as it's gateway.


Regarding failover, when you setup your routes, you can configure them to disable themselves when the interface is disconnected.  now, this isn't the same as the wireless going offline.  if the sonicwall still detects that the hardware is online, then it will seem that the interface is connected and try to route traffic out that interface despite the wireless connection being down.  this could be a real bummer.


***CAUTION!  HIGHLY THEORETICAL IDEA! NOT BEEN TESTED! PROCEED AT YOUR OWN RISK!!*****
i had another thought where you could setup a secondary gateway and use the failover function on the sonicwall.  you can configure the sonicwall to monitor the connection.  if it detects that the wireless connection is down, then it will switch over.  however, this is more of a Primary WAN and Secondary WAN relationship.  meaning, the wireless bridge would need to be your Primary gateway and your current Internet connection would need to be your secondary gateway.  you might be able to do this, but it would require some real thought.  you could set it up in this manner and configure a route to send all of your internet traffic out the secondary gateway.  configure the VPN to use the interface you've attached the secondary (Internet) gateway to.  setup your failover and begin monitoring the wireless bridge.  if it goes down, then it might failover but I'm not sure what it will failover to.  the routes will be changed to the secondary gateway and the only thing allowing this to function is the VPN so it MIGHT...I say again...MIGHT send the traffic over the VPN.  You'd have to configure failover on both ends.


Anyway, for what it's worth, see below for a KB on how to configure a secondary gateway.  I should not at this point that failover may be completely manual in that you'll have to disable your routes so the sonicwall sends the traffic over the VPN.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7781

0
 
LVL 33

Expert Comment

by:digitap
ID: 34173918
another blip on my radar that i just realized, i don't think the TZ180 will have any trouble with the routing, but if you get lots of traffic going through the 180, it might become a bottleneck.  if you have a layer 3 switch (router) you could use that to route traffic instead, but it becomes increasingly more difficult to implement failover.

this was a minor concern to keep in the back of your mind.  if you end up with slow network challenges, you might consider this in your troubleshooting.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:trelectric
ID: 34174669
Thanks.  Lots of good information there.  Will note the capacity on the TX180.  I'll just upgrade it if it becomes an issue.  

Just because this gets a bit confusing on SWs object oriented model I also want to clarify exactly what I need in the route.  I understand the routes.  But, where I get stumped is on the Interface whether that needs to be configured to the interface for the LAN or the new wireless LAN...  

NSA240 Interfaces
X0      LAN             192.168.1.3
X1      WAN             <WAN IP>
X2      LAN             192.168.4.1
Route for 192.168.100.0 exists, points to a Layer 2 switch for the voice traffic

TZ180 Interfaces
P5      LAN      192.168.3.2
P2      LAN      192.168.4.2
WAN      WAN      <WAN IP>
Route for  192.168.30.0 exists, points to a Layer 2 switch for voice traffic

So...

add these routes to the NSA240:

Source: ANY
Destination: 192.168.3.0
Service: ANY
Gateway:  192.168.4.1
Interface: X0    <--- this is where I get confused, X0 or X2?

repeat for 192.168.30.0


add these routes to the TZ180:

Source: ANY
Destination: 192.168.1.0
Service: ANY
Gateway:  192.168.4.2
Interface:   LAN (P5)   <--- again, this is where I get confused, P2 or LAN(P5)?

repeat for 192.168.100.0


Thanks again

0
 

Author Comment

by:trelectric
ID: 34174686
sorry... flopped the gateways around there... should be...

add these routes to the NSA240:

Source: ANY
Destination: 192.168.3.0
Service: ANY
Gateway:  192.168.4.2
Interface: X0    <--- this is where I get confused, X0 or X2?

repeat for 192.168.30.0


add these routes to the TZ180:

Source: ANY
Destination: 192.168.1.0
Service: ANY
Gateway:  192.168.4.1
Interface:   LAN (P5)   <--- again, this is where I get confused, P2 or LAN(P5)?

repeat for 192.168.100.0
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34174952
you want to bind the interface the route will send the traffic out of or to.  so:

the NSA240:

Source: ANY
Destination: 192.168.3.0/24
Service: ANY
Gateway:  192.168.4.2
Interface: X2 (this is where the wireless bridge is physically connected)

repeat for 192.168.30.0/24


the TZ180:

Source: ANY
Destination: 192.168.1.0/24
Service: ANY
Gateway:  192.168.4.1
Interface:   P2 (this is where the wireless bridge is physically connected)

repeat for 192.168.30.0/24
0
 

Author Closing Comment

by:trelectric
ID: 34218041
Worked like a champ!  Phone quality is soooo much better now.  Thanks a bunch.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34218105
you're welcome.  glad i could help and thanks for the points!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now