Solved

Upper Router Table Not Directing Traffic - SonicWall TZ 180

Posted on 2011-03-08
18
1,116 Views
Last Modified: 2012-06-27
I have a TZ180 at the head of a network on the 10.10.11.0 subnet with the ip of 10.10.11.254.  It directs traffic fine within this subnet and down through a router (10.10.11.1) out to the VPN (10.10.12.0, 10.10.10.0, etc.) without issue, however presently traffic will not apparently pass back up appropriately to the 10.10.11.0 subnet devices.  This worked fine previously on a Linksys unit, so I'm assuming it is a configuration issue with the Route Policies on the TZ180 unit.  

So, for example, presently a device at 10.10.12.50 cannot pass back through 10.10.12.1, 10.10.11.1 and on to 10.10.11.254 and then out to 10.10.11.50 when 10.10.11.50's gateway is set to 10.10.11.254, but it will work when 10.10.11.50's gateway is set to 10.10.11.1, which is the VPN router.

Here are the polices that are presently set on the SonicWall:
https://img.skitch.com/20110308-gjqafbtr7dysd9gc3w1h8mwea9.jpg
0
Comment
Question by:gpsocs
  • 8
  • 6
  • 3
18 Comments
 
LVL 13

Expert Comment

by:kdearing
ID: 35074262
I believe you need to add the 10.10.10.0 & 10.10.12.0 networks to the TZ and set up rules for traffic originating from those subnets.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35074279
question: is the sonicwall managing the VPN or another router? you say, "It directs traffic fine within this subnet and down through a router (10.10.11.1) out to the VPN...", which makes me thing that it doesn't handle the vpn, but another router does.

can you give me a better idea how the VPN is managed?

if the sonicwall isn't managing the VPN and another router is, then it might be best to put THAT router off an interface on the sonicwall giving it a different subnet, say, 10.10.15.0/24. then, you set a route on the VPN router that the sonicwall IP (whatever the interface is that the VPN router connects to, say, 10.10.15.254) is the gateway for the 10.10.11.0/24 network.
0
 

Author Comment

by:gpsocs
ID: 35074491
The VPN is out of our control.  It is provided and managed by AT&T (actually there are 2 of them, one from AT&T and another from TW Telecom, but I am asking another question regarding this in a moment regarding BGP routing and how to appropriately set these up so as to entirely eliminate the 10.10.x.x subnet and treat them as just connection points to the other sites).

From what AT&T and TW Telecom say they have static routes set and pass ALL traffic back and forth with no discrimination.  Unfortunately I am not aware of anything else at this point beyond this, however I certainly am more than happy to find out more information if you would like for me to go to bad with specific questions for them to better understand what they have.  TW Telecom has made it clear that they can do whatever is needed with regards to setting up the routing tables as per our needs.

So, no, the SonicWall is hands off and just sits between the Internet cloud and then also touches the VPN mesh cloud at the main office to bring Internet access into the infrastructure.

0
 
LVL 33

Expert Comment

by:digitap
ID: 35074862
ok, i'm going to do some thinking out loud here, so bear with me:

i think putting the LAN interface of the ATT vpn router would be the best configuration setup for you. that aside, i've set this type of routing up before and it worked, but not as consistently as putting the interface on a different subnet. of course, routing the vpn traffic out a different interface on the sonicwall makes your sonicwall a router and this might tax it beyond its current capabilities. it might be a good idea to consider a layer 3 switch that might be able to do this routing for you.

you wouldn't happen to have a layer 3 switch would you? what do you think about the sonicwall being able to handle the routing?
0
 

Author Comment

by:gpsocs
ID: 35075298
Well, right now this was in place at the main office when I arrived:

Cisco Router (AT&T) <-> Cisco Switch, which I've noted in the following diagram:
https://img.skitch.com/20110309-nycj5qm4gj23t6ucf63e7wtkjn.jpg

So... Presently we're not dealing with tons of traffic.  Do you think that this discussion in part then should be tied into http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_26872761.html

I honestly can skip this step and move directly into this one where the VPNs are teamed if it makes more sense.

But no, I'm not sure what to think about the layer 3 switch idea at this point as I have no real metric in my mind against which to gauge it's real need nor how far this TZ180 can go since it's not really doing any seemingly stateful inspections through packet analysis / inspection.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35078835
regarding this question in particular, i believe you'd best be served by a good layer 3 switch. put the LAN of the sonicwall on a new subnet. leave your existing hosts on the LAN of the sonicwall with that IP subnet. vlan each network putting each vpn router on it's own subnet. so, you'd have 4 vlans on the layer 3 switch and the switch will router between the vlans.

based on the age of the 180 and the fact that it's standard OS, i would not count on it hence the urge to get the layer 3 switch.

i've made comments in the other question you referenced above based on the information in this question and the other question.

hope that helps!
0
 

Author Comment

by:gpsocs
ID: 35085728
FYI the 180 has the enhanced os on it if that helps.  
0
 
LVL 33

Expert Comment

by:digitap
ID: 35086429
oh...wonder why i thought it was standard. anyway, you get a lot more flexibility. you could probably setup additional interfaces as WAN interfaces to get the load balance, but i don't think the sonicwall was made to load balance different "internal" interfaces. with the enhanced OS, you can get creative with your routes, but configuring the interfaces as WAN interfaces means the sonicwall will try to NAT. that's not an ideal situation.

i think i'm still rooting for the L3 switch.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:gpsocs
ID: 35129972
Well folks, had an interesting change today.  They decided to eliminate the backup VPN from AT&T.  Brother.  So much for spending all of that time.

Well, now I'm back to making this work for an entirely different subnet, so I'm back to the suggestion from @kdearing, does that sound appropriate now given the scenario I've hitherto conveyed?
0
 

Author Comment

by:gpsocs
ID: 35131140
@kdearing & @digitap okay, so are you saying to do something like the following?

https://img.skitch.com/20110314-x7biu1p3qhm94uhg8kgam4979r.png

I guess I need some more specifics here.  What would be even better, in addition, would be if you could explain how this routing configuration works.  For example, I'm wanting traffic from 10.10.12.0 subnet to be able to both make it out to the Internet through the TZ180, and to connect to any devices on 10.10.11.0 subnet as well as back to 10.10.12.0 and 10.10.10.0.

I'm not clearly seeing the goal here with how the Source, Destination and Gateway work together in this particular scenario and with regards to what you're saying.  I think if I had this clear in my mind this would all just make complete sense and ameliorate my need for pestering.
0
 
LVL 33

Accepted Solution

by:
digitap earned 450 total points
ID: 35131259
your route needs to look like this:

source: 10.10.12.0/24
destination: 10.10.11.0/24
Service: any
Gateway: IP address of the router as it is on the 10.10.12.0/24 network. if it's 10.10.12.5, then that's what you'd put here. the router would get the request indicating 10.10.11.0/24 and it would know what to do with that since it manages that network.
Interface X0 or LAN

essentially, you're putting a route in here such that if a host is looking for 10.10.11.0 access, you're telling them the gateway is 10.10.12.5 (or whatever you've given that IP as).
0
 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 50 total points
ID: 35131785
I would set the source to 'any'
That way you con't have to create multiple rules for each subnet
0
 
LVL 33

Expert Comment

by:digitap
ID: 35135079
yes, i agree. missed that.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35329448
I believe digitap and I gave valid answers to the question.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35333240
i agree. split between http:#a35074262 and http:#a35131259.
0
 

Author Comment

by:gpsocs
ID: 35333590
Sorry folks, things have been crazy on my end.  The client ended up pulling out one of the VPNs (ATT) and one of the sites moved and does not have it back up yet so it became impossible to do anything following our discussions.  Most of this became invalid for me due to these abrupt surprises and so I'll just accept answers.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35333727
respectfully, if the need for this information is no longer needed due to events beyond your control, you can request to have the question deleted. or, if you feel the information is valuable for others on EE, then closing the question with the disposition you've chosen is appropriate. this is just for future information.


thanks for the points!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now