Hi,
we have multiple branch offices which we want to connect using Sonicwall router. There is a NSA-2400 at our main location and NSA220 at the remote branches.
We have a MPLS network and we want to create a backup vpn via internet. Via MPLS the packets should be transferred without a vpn connection.
Since the firewall is working zone based, depending on which route is active, the packets either enter or leave through the VPN zone or MPLS zone (X2).
How can I set this up to create access rules only once and not twice (for zones MPLS and VPN)?
Thanks
sonicwall.png
Here is a below example diagram
2. That a direct or MPLS connection exists between Site A and Site B.
3. That although a direct connection exists between Site A and Site B, traffic is passing to the other side over the VPN tunnel.
The configuration for failover
Create a probe-dependent static route to route all traffic destined to the remote MPLS network. This route would take precedence over the VPN route. The probe target should be the IP address of the MPLS router on the other side. The probe target is defined by creating a Network Monitor Policy under Network > Network Monitor.A separate route should be created defining the path to take to reach the probe target. Network Monitor Policy would probe the target regularly. Failure of the MPLS connection would also result in the failure of the probe target. When the probe fails, SonicWALL would disable the static route thus allowing the VPN kernel routes (hidden) to take precedence.
When the probe target is reachable again, the static route would be re-enabled, forcing traffic over the MPLS connection.
1. Create Address Objects
Create the following address objects under Network > Address Objects and group them.NSA 2400 LAN Network
NSA 220 LAN Network
NSA 2400 DMZ Network
NSA 220 DMZ Network
NSA 220 DMZ Gateway
NSA 2400 MPLS Router
NSA 220 MPLS Router
2. Create a Network Monitor Policy
The probe target is defined by creating a Network Monitor Policy under Network > Network Monitor.Network Monitor page
3. Create Static Routes
Create a static route to route traffic to the probe target. (Network > Routing)4. Here's How to Test
On creating the routes traffic would be forwarded through the direct or MPLS connection. The site to site VPN policy would still show as up with a green light. To test whether failover and fallback is functioning as intended, perform the following:1. Disconnect, either physically or logically, the MPLS connection.
2. The Network Monitor policy will become inactive as the probing defined in the policy to the probe target will fail.
3. Consequent to the probe failure, the static route created to route traffic to the other side will be disabled.
4. When the static route is disabled, the VPN kernel routes will be re-enabled and traffic will be forwarded over the VPN tunnel.
5. Re-connect the MPLS connection.
6. The Network Monitor policy will become active again as the probing defined in the policy is successful.
7. When the probe succeeds the static route will be re-enabled automatically.
8. As static route takes precedence over VPN routes, traffic will again be routed through the direct or MPLS connection.Let me know how it goes!
P.S. The images mention NSA 240 but just substitute them for NSA 220 - all applies in the same manner.