Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1611
  • Last Modified:

SonicWALL - Multiple subnet configuration

So presently I have this configuration for one VPN leg (if you've followed previous discussions you'll know that this is ultimately going to be a set of two teamed / failover VPNs) set up and working on a Linksys RV042:
https://img.skitch.com/20110221-d2quxi749mdig26qmnrab5qwck.jpg

A diagram of the network topology is as follows:
https://img.skitch.com/20110219-gx38xuirrj6uymfkddmy6epxec.jpg

How would I duplicate this RV042 configuration on this particular SonicWALL TZ 180?

It sounds as though trunking and tagging perhaps would have been a better option?  However I'm not sure of how that would work on this unit yet either.  Any instructions or information as how to get set this out properly would be appreciated.

I simply want to do what's correct with this particular unit so whichever method to support the TOPOLOGY DIAGRAM above would be optimal vs simply duplicating the configuration.
0
gpsocs
Asked:
gpsocs
  • 10
  • 9
3 Solutions
 
digitapCommented:
you simply need to add a route to the sonicwall for each subnet and the gateway that manages those subnets.  there is a router in between the networks and the sonicwall.  i'm not even considering the VPN because the sonicwall isn't responsible for managing the vpns.  you simply need to tell the sonicwall how to route traffic to those subnets.  also, i assume that between the sonicwall and Office 1, there is a VPN.  if so, then you'll want to make ALL subnets that will go across the VPN part of the VPN.

hope i'm understanding right.
0
 
gpsocsAuthor Commented:
There is NO VPN between Office 1 and the SonicWALL.  This is a temporary solution for a client that is testing the solution until we get them integrated into the "MPLS" VPN cloud.
0
 
digitapCommented:
ah, this is good.  removing the VPN there really makes things less complicated. then you'd only need to add the route for their subnet when they are part of the MPLS cloud.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
gpsocsAuthor Commented:
I'm assuming Network -> Routing -> Route Policies -> ADD... and then it gets a little dicey for me after this point.

Obviously the concept is solid, but the actual execution on this unit is disconcerting given the options.

Source: ?  ANY ? (Probably any)
Destination: ? ANY ? (Probably any)
Service: Any (I'm assuming that would be right here for all traffic)
Gateway: ? Default Gateway ? (Dunno)
Interface: Not sure on this one... probably WAN, but options are: WAN, LAN (obviously not OPT or WLAN)
Metric: 1 (not sure of this)
Disable route when the interface is disconnected: unchecked
Allow VPN path to take precedence: unchecked


Now, also, we may have a secondary Internet coming into this unit in the near term.  I assume we can use teaming / failover with the OPT port.  But boy, that's another topic for another crazy day. :)  I wish I only had this to worry about right now!  LOL
0
 
digitapCommented:
i understand.  here's my take on the route.

Source: Any
Destination: Address object representing one of the subnets in Node 1, Node 2, Node N...
Service: Any
Gateway: whatever is managing the VPN for those subnets.  is it the router?  10.0.17.1? 10.10.11.1?
Interface: LAN.  Since the Router has an IP on the LAN subnet (this is right, right?), then the router would be the gateway and the interface is X0 (LAN).
Metric: 20.  this is the default for all the routes created on the sonicwall.
Disable route...: this is if you have a backup connection and you want something else to take over if it goes down.  i've used it before, but not very often.
Allow VPN...: used in rare instances.


regarding failover.  rather than go into it here, these KBs might answer your questions regarding it.  i'm including HA for grins and giggles...as if you don't already have enough information to assimilate!!!

Failover within the sonicwall:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7828

HA between two sonicwalls, by the way, you can configure internet failover in a HA configuration:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6234
0
 
gpsocsAuthor Commented:
So right now just "VPN 2" (AT&T, which is to be backup within the next few days) is active.  So essentially each node is just that, a node in the mesh.  We have, therefore at the Main Office router 10.10.11.1 and, in this example, 10.10.12.1 as the router at the other site with the HDX unit out there being at 10.10.12.50.  You can presently cut the larger router icon out of the mix as I currently am only dealing with the AT&T provided Cisco routers hooked to switches.
0
 
gpsocsAuthor Commented:
So example path: Office 1 HDX <-> Router <-> Internet <-> SonicWALL TZ 180 <-> 10.10.11.1 <-> 10.10.12.1 <-> 10.10.12.50
0
 
digitapCommented:
whatever network the sonicwall does not know about, you simply create the route for that network and specify the gateway as being the router that DOES know about that subnet.  as long as the router has an interface on the LAN subnet which the sonicwall does know about, it will find the path just fine.
0
 
gpsocsAuthor Commented:
<sigh> So sorry to make you work for this one.  :)

So I'm looking here Gateway and I Add an Address Object:
Zone Assignment appears to obviously be LAN.  
Type... hrm, I could see it being a host in terms of directing traffic to that router a the Main Office, which is 10.10.11.1 OR I could see it being Network and the 10.10.12.0/24  network...  I'm sure I'm overthinking here now being about 2AM.

So then the same on the Destination, what am I looking at for that there?  I'm assuming Network for that one and probably Host for the previous Gateway option.

And yes, the LAN on the TZ 180 is directly connected to a Cisco switch which is hooked into the AT&T Ciscos router 10.10.11.1.
0
 
digitapCommented:
so, you want the destination to be the network on the other side of att connection and the gateway to be the att router.  sorry to cut off...hope it works. time for me and my pregnant wife to go to bed...12a here.  i'll be back at it in a few hours.
0
 
gpsocsAuthor Commented:
Yeah, that's it.  The destination is the 10.10.12.50 for now being the HDX over there or just generally the 10.10.12.0/24 network and the gateway on the Main Office side out to the VPN cloud is 10.10.11.1.

Understood.  I'm crashing out now as well.  4 kids and a plethora of other stuff so I know what you're going through. ;)  Yeah, I have to have this all in place in the morning after a 2 hour drive to the main site so I'm trying to get my ducks in a row before I set out.

The last thing I have to figure out is how in the heck I'm going to get a block of IPs on the current Internet we have in place vs the new one we're supposed to already have in place that has a very large c block of ips assigned.  <sigh>
0
 
digitapCommented:
hehehe...you really do understand! so, are the public ips non-continguous?  typically, you just assign a public ip, configure the subnet mask and that's it.  what makes this batch of ips so challenging?
0
 
gpsocsAuthor Commented:
What makes it challenging at the moment is whether we even have one for this particular Internet connection we're using atm... :\  The other connection hasn't been dropped in the Main Office yet.  Blah.
0
 
digitapCommented:
oh...so, you are going from a crappy Internet connection to a better one?  sorry, must have stayed up too late.
0
 
gpsocsAuthor Commented:
Yeah, but I don't know how "crappy" crappy is actually until I can talk to someone who knows it since it's provided by the office building owners.  Blah.  I don't even have a good handle on the previous topology yet since I came into this midstream and am effectively tearing down and rebuilding as i go.  LOL

I'm wondering about buying a small block temporarily for this existant situation until we get the long term conn in place...  I just wish I could get a hold of someone at this point on site.

So yeah, I need to get those address objects config'd properly from our discussion last night.  Are you able to give me a little closer insight to the Destination and Gateway now that I've provided that information as well as how the Add Address Object dialog will be config'd for each of those two?  I think if I have that I'll be good.
0
 
gpsocsAuthor Commented:
So yeah, if I could get some clarity on that, that would be great.  I'm going to ask specifically what to ask in another question as I can assign some more points since the IP issues is a separate one and I could use some additional brain share as I ask the appropriate questions and get that resolved this morning.
0
 
digitapCommented:
sure.

Source: Any
Destination: Address Object representing NETWORK 10.10.12.0/24 in the LAN zone
Service: Any
Gateway: Address Object representing HOST 10.10.11.1 in the LAN zone
Interface: LAN
Metric: 20
Leave the two check boxes unchecked.

is your LAN subnet within the 10.10.11.0/24 subnet?
0
 
gpsocsAuthor Commented:
Yes, it is 10.10.11.0/24 on the local area network at Main Office.

Also, the IP issue is posted if you have interest.  Thanks so very much.
0
 
digitapCommented:
i am and have commented.  you're welcome and thanks for the points!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 10
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now