Solved

SonicWALL - Multiple subnet configuration

Posted on 2011-02-20
19
1,600 Views
Last Modified: 2012-09-08
So presently I have this configuration for one VPN leg (if you've followed previous discussions you'll know that this is ultimately going to be a set of two teamed / failover VPNs) set up and working on a Linksys RV042:
https://img.skitch.com/20110221-d2quxi749mdig26qmnrab5qwck.jpg

A diagram of the network topology is as follows:
https://img.skitch.com/20110219-gx38xuirrj6uymfkddmy6epxec.jpg

How would I duplicate this RV042 configuration on this particular SonicWALL TZ 180?

It sounds as though trunking and tagging perhaps would have been a better option?  However I'm not sure of how that would work on this unit yet either.  Any instructions or information as how to get set this out properly would be appreciated.

I simply want to do what's correct with this particular unit so whichever method to support the TOPOLOGY DIAGRAM above would be optimal vs simply duplicating the configuration.
0
Comment
Question by:gpsocs
  • 10
  • 9
19 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
Comment Utility
you simply need to add a route to the sonicwall for each subnet and the gateway that manages those subnets.  there is a router in between the networks and the sonicwall.  i'm not even considering the VPN because the sonicwall isn't responsible for managing the vpns.  you simply need to tell the sonicwall how to route traffic to those subnets.  also, i assume that between the sonicwall and Office 1, there is a VPN.  if so, then you'll want to make ALL subnets that will go across the VPN part of the VPN.

hope i'm understanding right.
0
 

Author Comment

by:gpsocs
Comment Utility
There is NO VPN between Office 1 and the SonicWALL.  This is a temporary solution for a client that is testing the solution until we get them integrated into the "MPLS" VPN cloud.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
ah, this is good.  removing the VPN there really makes things less complicated. then you'd only need to add the route for their subnet when they are part of the MPLS cloud.
0
 

Author Comment

by:gpsocs
Comment Utility
I'm assuming Network -> Routing -> Route Policies -> ADD... and then it gets a little dicey for me after this point.

Obviously the concept is solid, but the actual execution on this unit is disconcerting given the options.

Source: ?  ANY ? (Probably any)
Destination: ? ANY ? (Probably any)
Service: Any (I'm assuming that would be right here for all traffic)
Gateway: ? Default Gateway ? (Dunno)
Interface: Not sure on this one... probably WAN, but options are: WAN, LAN (obviously not OPT or WLAN)
Metric: 1 (not sure of this)
Disable route when the interface is disconnected: unchecked
Allow VPN path to take precedence: unchecked


Now, also, we may have a secondary Internet coming into this unit in the near term.  I assume we can use teaming / failover with the OPT port.  But boy, that's another topic for another crazy day. :)  I wish I only had this to worry about right now!  LOL
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 500 total points
Comment Utility
i understand.  here's my take on the route.

Source: Any
Destination: Address object representing one of the subnets in Node 1, Node 2, Node N...
Service: Any
Gateway: whatever is managing the VPN for those subnets.  is it the router?  10.0.17.1? 10.10.11.1?
Interface: LAN.  Since the Router has an IP on the LAN subnet (this is right, right?), then the router would be the gateway and the interface is X0 (LAN).
Metric: 20.  this is the default for all the routes created on the sonicwall.
Disable route...: this is if you have a backup connection and you want something else to take over if it goes down.  i've used it before, but not very often.
Allow VPN...: used in rare instances.


regarding failover.  rather than go into it here, these KBs might answer your questions regarding it.  i'm including HA for grins and giggles...as if you don't already have enough information to assimilate!!!

Failover within the sonicwall:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7828

HA between two sonicwalls, by the way, you can configure internet failover in a HA configuration:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6234
0
 

Author Comment

by:gpsocs
Comment Utility
So right now just "VPN 2" (AT&T, which is to be backup within the next few days) is active.  So essentially each node is just that, a node in the mesh.  We have, therefore at the Main Office router 10.10.11.1 and, in this example, 10.10.12.1 as the router at the other site with the HDX unit out there being at 10.10.12.50.  You can presently cut the larger router icon out of the mix as I currently am only dealing with the AT&T provided Cisco routers hooked to switches.
0
 

Author Comment

by:gpsocs
Comment Utility
So example path: Office 1 HDX <-> Router <-> Internet <-> SonicWALL TZ 180 <-> 10.10.11.1 <-> 10.10.12.1 <-> 10.10.12.50
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
whatever network the sonicwall does not know about, you simply create the route for that network and specify the gateway as being the router that DOES know about that subnet.  as long as the router has an interface on the LAN subnet which the sonicwall does know about, it will find the path just fine.
0
 

Author Comment

by:gpsocs
Comment Utility
<sigh> So sorry to make you work for this one.  :)

So I'm looking here Gateway and I Add an Address Object:
Zone Assignment appears to obviously be LAN.  
Type... hrm, I could see it being a host in terms of directing traffic to that router a the Main Office, which is 10.10.11.1 OR I could see it being Network and the 10.10.12.0/24  network...  I'm sure I'm overthinking here now being about 2AM.

So then the same on the Destination, what am I looking at for that there?  I'm assuming Network for that one and probably Host for the previous Gateway option.

And yes, the LAN on the TZ 180 is directly connected to a Cisco switch which is hooked into the AT&T Ciscos router 10.10.11.1.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 33

Expert Comment

by:digitap
Comment Utility
so, you want the destination to be the network on the other side of att connection and the gateway to be the att router.  sorry to cut off...hope it works. time for me and my pregnant wife to go to bed...12a here.  i'll be back at it in a few hours.
0
 

Author Comment

by:gpsocs
Comment Utility
Yeah, that's it.  The destination is the 10.10.12.50 for now being the HDX over there or just generally the 10.10.12.0/24 network and the gateway on the Main Office side out to the VPN cloud is 10.10.11.1.

Understood.  I'm crashing out now as well.  4 kids and a plethora of other stuff so I know what you're going through. ;)  Yeah, I have to have this all in place in the morning after a 2 hour drive to the main site so I'm trying to get my ducks in a row before I set out.

The last thing I have to figure out is how in the heck I'm going to get a block of IPs on the current Internet we have in place vs the new one we're supposed to already have in place that has a very large c block of ips assigned.  <sigh>
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
hehehe...you really do understand! so, are the public ips non-continguous?  typically, you just assign a public ip, configure the subnet mask and that's it.  what makes this batch of ips so challenging?
0
 

Author Comment

by:gpsocs
Comment Utility
What makes it challenging at the moment is whether we even have one for this particular Internet connection we're using atm... :\  The other connection hasn't been dropped in the Main Office yet.  Blah.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
oh...so, you are going from a crappy Internet connection to a better one?  sorry, must have stayed up too late.
0
 

Author Comment

by:gpsocs
Comment Utility
Yeah, but I don't know how "crappy" crappy is actually until I can talk to someone who knows it since it's provided by the office building owners.  Blah.  I don't even have a good handle on the previous topology yet since I came into this midstream and am effectively tearing down and rebuilding as i go.  LOL

I'm wondering about buying a small block temporarily for this existant situation until we get the long term conn in place...  I just wish I could get a hold of someone at this point on site.

So yeah, I need to get those address objects config'd properly from our discussion last night.  Are you able to give me a little closer insight to the Destination and Gateway now that I've provided that information as well as how the Add Address Object dialog will be config'd for each of those two?  I think if I have that I'll be good.
0
 

Author Comment

by:gpsocs
Comment Utility
So yeah, if I could get some clarity on that, that would be great.  I'm going to ask specifically what to ask in another question as I can assign some more points since the IP issues is a separate one and I could use some additional brain share as I ask the appropriate questions and get that resolved this morning.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 500 total points
Comment Utility
sure.

Source: Any
Destination: Address Object representing NETWORK 10.10.12.0/24 in the LAN zone
Service: Any
Gateway: Address Object representing HOST 10.10.11.1 in the LAN zone
Interface: LAN
Metric: 20
Leave the two check boxes unchecked.

is your LAN subnet within the 10.10.11.0/24 subnet?
0
 

Author Comment

by:gpsocs
Comment Utility
Yes, it is 10.10.11.0/24 on the local area network at Main Office.

Also, the IP issue is posted if you have interest.  Thanks so very much.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
i am and have commented.  you're welcome and thanks for the points!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now