Upper Router Table Not Directing Traffic - SonicWall TZ 180

I have a TZ180 at the head of a network on the 10.10.11.0 subnet with the ip of 10.10.11.254.  It directs traffic fine within this subnet and down through a router (10.10.11.1) out to the VPN (10.10.12.0, 10.10.10.0, etc.) without issue, however presently traffic will not apparently pass back up appropriately to the 10.10.11.0 subnet devices.  This worked fine previously on a Linksys unit, so I'm assuming it is a configuration issue with the Route Policies on the TZ180 unit.  

So, for example, presently a device at 10.10.12.50 cannot pass back through 10.10.12.1, 10.10.11.1 and on to 10.10.11.254 and then out to 10.10.11.50 when 10.10.11.50's gateway is set to 10.10.11.254, but it will work when 10.10.11.50's gateway is set to 10.10.11.1, which is the VPN router.

Here are the polices that are presently set on the SonicWall:
https://img.skitch.com/20110308-gjqafbtr7dysd9gc3w1h8mwea9.jpg
gpsocsAsked:
Who is Participating?
 
digitapCommented:
your route needs to look like this:

source: 10.10.12.0/24
destination: 10.10.11.0/24
Service: any
Gateway: IP address of the router as it is on the 10.10.12.0/24 network. if it's 10.10.12.5, then that's what you'd put here. the router would get the request indicating 10.10.11.0/24 and it would know what to do with that since it manages that network.
Interface X0 or LAN

essentially, you're putting a route in here such that if a host is looking for 10.10.11.0 access, you're telling them the gateway is 10.10.12.5 (or whatever you've given that IP as).
0
 
kdearingCommented:
I believe you need to add the 10.10.10.0 & 10.10.12.0 networks to the TZ and set up rules for traffic originating from those subnets.
0
 
digitapCommented:
question: is the sonicwall managing the VPN or another router? you say, "It directs traffic fine within this subnet and down through a router (10.10.11.1) out to the VPN...", which makes me thing that it doesn't handle the vpn, but another router does.

can you give me a better idea how the VPN is managed?

if the sonicwall isn't managing the VPN and another router is, then it might be best to put THAT router off an interface on the sonicwall giving it a different subnet, say, 10.10.15.0/24. then, you set a route on the VPN router that the sonicwall IP (whatever the interface is that the VPN router connects to, say, 10.10.15.254) is the gateway for the 10.10.11.0/24 network.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
gpsocsAuthor Commented:
The VPN is out of our control.  It is provided and managed by AT&T (actually there are 2 of them, one from AT&T and another from TW Telecom, but I am asking another question regarding this in a moment regarding BGP routing and how to appropriately set these up so as to entirely eliminate the 10.10.x.x subnet and treat them as just connection points to the other sites).

From what AT&T and TW Telecom say they have static routes set and pass ALL traffic back and forth with no discrimination.  Unfortunately I am not aware of anything else at this point beyond this, however I certainly am more than happy to find out more information if you would like for me to go to bad with specific questions for them to better understand what they have.  TW Telecom has made it clear that they can do whatever is needed with regards to setting up the routing tables as per our needs.

So, no, the SonicWall is hands off and just sits between the Internet cloud and then also touches the VPN mesh cloud at the main office to bring Internet access into the infrastructure.

0
 
digitapCommented:
ok, i'm going to do some thinking out loud here, so bear with me:

i think putting the LAN interface of the ATT vpn router would be the best configuration setup for you. that aside, i've set this type of routing up before and it worked, but not as consistently as putting the interface on a different subnet. of course, routing the vpn traffic out a different interface on the sonicwall makes your sonicwall a router and this might tax it beyond its current capabilities. it might be a good idea to consider a layer 3 switch that might be able to do this routing for you.

you wouldn't happen to have a layer 3 switch would you? what do you think about the sonicwall being able to handle the routing?
0
 
gpsocsAuthor Commented:
Well, right now this was in place at the main office when I arrived:

Cisco Router (AT&T) <-> Cisco Switch, which I've noted in the following diagram:
https://img.skitch.com/20110309-nycj5qm4gj23t6ucf63e7wtkjn.jpg

So... Presently we're not dealing with tons of traffic.  Do you think that this discussion in part then should be tied into http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_26872761.html

I honestly can skip this step and move directly into this one where the VPNs are teamed if it makes more sense.

But no, I'm not sure what to think about the layer 3 switch idea at this point as I have no real metric in my mind against which to gauge it's real need nor how far this TZ180 can go since it's not really doing any seemingly stateful inspections through packet analysis / inspection.
0
 
digitapCommented:
regarding this question in particular, i believe you'd best be served by a good layer 3 switch. put the LAN of the sonicwall on a new subnet. leave your existing hosts on the LAN of the sonicwall with that IP subnet. vlan each network putting each vpn router on it's own subnet. so, you'd have 4 vlans on the layer 3 switch and the switch will router between the vlans.

based on the age of the 180 and the fact that it's standard OS, i would not count on it hence the urge to get the layer 3 switch.

i've made comments in the other question you referenced above based on the information in this question and the other question.

hope that helps!
0
 
gpsocsAuthor Commented:
FYI the 180 has the enhanced os on it if that helps.  
0
 
digitapCommented:
oh...wonder why i thought it was standard. anyway, you get a lot more flexibility. you could probably setup additional interfaces as WAN interfaces to get the load balance, but i don't think the sonicwall was made to load balance different "internal" interfaces. with the enhanced OS, you can get creative with your routes, but configuring the interfaces as WAN interfaces means the sonicwall will try to NAT. that's not an ideal situation.

i think i'm still rooting for the L3 switch.
0
 
gpsocsAuthor Commented:
Well folks, had an interesting change today.  They decided to eliminate the backup VPN from AT&T.  Brother.  So much for spending all of that time.

Well, now I'm back to making this work for an entirely different subnet, so I'm back to the suggestion from @kdearing, does that sound appropriate now given the scenario I've hitherto conveyed?
0
 
gpsocsAuthor Commented:
@kdearing & @digitap okay, so are you saying to do something like the following?

https://img.skitch.com/20110314-x7biu1p3qhm94uhg8kgam4979r.png

I guess I need some more specifics here.  What would be even better, in addition, would be if you could explain how this routing configuration works.  For example, I'm wanting traffic from 10.10.12.0 subnet to be able to both make it out to the Internet through the TZ180, and to connect to any devices on 10.10.11.0 subnet as well as back to 10.10.12.0 and 10.10.10.0.

I'm not clearly seeing the goal here with how the Source, Destination and Gateway work together in this particular scenario and with regards to what you're saying.  I think if I had this clear in my mind this would all just make complete sense and ameliorate my need for pestering.
0
 
kdearingCommented:
I would set the source to 'any'
That way you con't have to create multiple rules for each subnet
0
 
digitapCommented:
yes, i agree. missed that.
0
 
kdearingCommented:
I believe digitap and I gave valid answers to the question.
0
 
digitapCommented:
i agree. split between http:#a35074262 and http:#a35131259.
0
 
gpsocsAuthor Commented:
Sorry folks, things have been crazy on my end.  The client ended up pulling out one of the VPNs (ATT) and one of the sites moved and does not have it back up yet so it became impossible to do anything following our discussions.  Most of this became invalid for me due to these abrupt surprises and so I'll just accept answers.
0
 
digitapCommented:
respectfully, if the need for this information is no longer needed due to events beyond your control, you can request to have the question deleted. or, if you feel the information is valuable for others on EE, then closing the question with the disposition you've chosen is appropriate. this is just for future information.


thanks for the points!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.