?
Solved

Upper Router Table Not Directing Traffic - SonicWall TZ 180

Posted on 2011-03-08
18
Medium Priority
?
1,162 Views
Last Modified: 2012-06-27
I have a TZ180 at the head of a network on the 10.10.11.0 subnet with the ip of 10.10.11.254.  It directs traffic fine within this subnet and down through a router (10.10.11.1) out to the VPN (10.10.12.0, 10.10.10.0, etc.) without issue, however presently traffic will not apparently pass back up appropriately to the 10.10.11.0 subnet devices.  This worked fine previously on a Linksys unit, so I'm assuming it is a configuration issue with the Route Policies on the TZ180 unit.  

So, for example, presently a device at 10.10.12.50 cannot pass back through 10.10.12.1, 10.10.11.1 and on to 10.10.11.254 and then out to 10.10.11.50 when 10.10.11.50's gateway is set to 10.10.11.254, but it will work when 10.10.11.50's gateway is set to 10.10.11.1, which is the VPN router.

Here are the polices that are presently set on the SonicWall:
https://img.skitch.com/20110308-gjqafbtr7dysd9gc3w1h8mwea9.jpg
0
Comment
Question by:gpsocs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 3
18 Comments
 
LVL 13

Expert Comment

by:kdearing
ID: 35074262
I believe you need to add the 10.10.10.0 & 10.10.12.0 networks to the TZ and set up rules for traffic originating from those subnets.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35074279
question: is the sonicwall managing the VPN or another router? you say, "It directs traffic fine within this subnet and down through a router (10.10.11.1) out to the VPN...", which makes me thing that it doesn't handle the vpn, but another router does.

can you give me a better idea how the VPN is managed?

if the sonicwall isn't managing the VPN and another router is, then it might be best to put THAT router off an interface on the sonicwall giving it a different subnet, say, 10.10.15.0/24. then, you set a route on the VPN router that the sonicwall IP (whatever the interface is that the VPN router connects to, say, 10.10.15.254) is the gateway for the 10.10.11.0/24 network.
0
 

Author Comment

by:gpsocs
ID: 35074491
The VPN is out of our control.  It is provided and managed by AT&T (actually there are 2 of them, one from AT&T and another from TW Telecom, but I am asking another question regarding this in a moment regarding BGP routing and how to appropriately set these up so as to entirely eliminate the 10.10.x.x subnet and treat them as just connection points to the other sites).

From what AT&T and TW Telecom say they have static routes set and pass ALL traffic back and forth with no discrimination.  Unfortunately I am not aware of anything else at this point beyond this, however I certainly am more than happy to find out more information if you would like for me to go to bad with specific questions for them to better understand what they have.  TW Telecom has made it clear that they can do whatever is needed with regards to setting up the routing tables as per our needs.

So, no, the SonicWall is hands off and just sits between the Internet cloud and then also touches the VPN mesh cloud at the main office to bring Internet access into the infrastructure.

0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 33

Expert Comment

by:digitap
ID: 35074862
ok, i'm going to do some thinking out loud here, so bear with me:

i think putting the LAN interface of the ATT vpn router would be the best configuration setup for you. that aside, i've set this type of routing up before and it worked, but not as consistently as putting the interface on a different subnet. of course, routing the vpn traffic out a different interface on the sonicwall makes your sonicwall a router and this might tax it beyond its current capabilities. it might be a good idea to consider a layer 3 switch that might be able to do this routing for you.

you wouldn't happen to have a layer 3 switch would you? what do you think about the sonicwall being able to handle the routing?
0
 

Author Comment

by:gpsocs
ID: 35075298
Well, right now this was in place at the main office when I arrived:

Cisco Router (AT&T) <-> Cisco Switch, which I've noted in the following diagram:
https://img.skitch.com/20110309-nycj5qm4gj23t6ucf63e7wtkjn.jpg

So... Presently we're not dealing with tons of traffic.  Do you think that this discussion in part then should be tied into http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_26872761.html

I honestly can skip this step and move directly into this one where the VPNs are teamed if it makes more sense.

But no, I'm not sure what to think about the layer 3 switch idea at this point as I have no real metric in my mind against which to gauge it's real need nor how far this TZ180 can go since it's not really doing any seemingly stateful inspections through packet analysis / inspection.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35078835
regarding this question in particular, i believe you'd best be served by a good layer 3 switch. put the LAN of the sonicwall on a new subnet. leave your existing hosts on the LAN of the sonicwall with that IP subnet. vlan each network putting each vpn router on it's own subnet. so, you'd have 4 vlans on the layer 3 switch and the switch will router between the vlans.

based on the age of the 180 and the fact that it's standard OS, i would not count on it hence the urge to get the layer 3 switch.

i've made comments in the other question you referenced above based on the information in this question and the other question.

hope that helps!
0
 

Author Comment

by:gpsocs
ID: 35085728
FYI the 180 has the enhanced os on it if that helps.  
0
 
LVL 33

Expert Comment

by:digitap
ID: 35086429
oh...wonder why i thought it was standard. anyway, you get a lot more flexibility. you could probably setup additional interfaces as WAN interfaces to get the load balance, but i don't think the sonicwall was made to load balance different "internal" interfaces. with the enhanced OS, you can get creative with your routes, but configuring the interfaces as WAN interfaces means the sonicwall will try to NAT. that's not an ideal situation.

i think i'm still rooting for the L3 switch.
0
 

Author Comment

by:gpsocs
ID: 35129972
Well folks, had an interesting change today.  They decided to eliminate the backup VPN from AT&T.  Brother.  So much for spending all of that time.

Well, now I'm back to making this work for an entirely different subnet, so I'm back to the suggestion from @kdearing, does that sound appropriate now given the scenario I've hitherto conveyed?
0
 

Author Comment

by:gpsocs
ID: 35131140
@kdearing & @digitap okay, so are you saying to do something like the following?

https://img.skitch.com/20110314-x7biu1p3qhm94uhg8kgam4979r.png

I guess I need some more specifics here.  What would be even better, in addition, would be if you could explain how this routing configuration works.  For example, I'm wanting traffic from 10.10.12.0 subnet to be able to both make it out to the Internet through the TZ180, and to connect to any devices on 10.10.11.0 subnet as well as back to 10.10.12.0 and 10.10.10.0.

I'm not clearly seeing the goal here with how the Source, Destination and Gateway work together in this particular scenario and with regards to what you're saying.  I think if I had this clear in my mind this would all just make complete sense and ameliorate my need for pestering.
0
 
LVL 33

Accepted Solution

by:
digitap earned 1800 total points
ID: 35131259
your route needs to look like this:

source: 10.10.12.0/24
destination: 10.10.11.0/24
Service: any
Gateway: IP address of the router as it is on the 10.10.12.0/24 network. if it's 10.10.12.5, then that's what you'd put here. the router would get the request indicating 10.10.11.0/24 and it would know what to do with that since it manages that network.
Interface X0 or LAN

essentially, you're putting a route in here such that if a host is looking for 10.10.11.0 access, you're telling them the gateway is 10.10.12.5 (or whatever you've given that IP as).
0
 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 200 total points
ID: 35131785
I would set the source to 'any'
That way you con't have to create multiple rules for each subnet
0
 
LVL 33

Expert Comment

by:digitap
ID: 35135079
yes, i agree. missed that.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35329448
I believe digitap and I gave valid answers to the question.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35333240
i agree. split between http:#a35074262 and http:#a35131259.
0
 

Author Comment

by:gpsocs
ID: 35333590
Sorry folks, things have been crazy on my end.  The client ended up pulling out one of the VPNs (ATT) and one of the sites moved and does not have it back up yet so it became impossible to do anything following our discussions.  Most of this became invalid for me due to these abrupt surprises and so I'll just accept answers.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35333727
respectfully, if the need for this information is no longer needed due to events beyond your control, you can request to have the question deleted. or, if you feel the information is valuable for others on EE, then closing the question with the disposition you've chosen is appropriate. this is just for future information.


thanks for the points!
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question