Networking
--
Questions
--
Followers
Top Experts
Sonicwall Site-To-Site, MPLS and VPN
Hi,
we have multiple branch offices which we want to connect using Sonicwall router. There is a NSA-2400 at our main location and NSA220 at the remote branches.
We have a MPLS network and we want to create a backup vpn via internet. Via MPLS the packets should be transferred without a vpn connection.
Since the firewall is working zone based, depending on which route is active, the packets either enter or leave through the VPN zone or MPLS zone (X2).
How can I set this up to create access rules only once and not twice (for zones MPLS and VPN)?
Thanks
sonicwall.png
we have multiple branch offices which we want to connect using Sonicwall router. There is a NSA-2400 at our main location and NSA220 at the remote branches.
We have a MPLS network and we want to create a backup vpn via internet. Via MPLS the packets should be transferred without a vpn connection.
Since the firewall is working zone based, depending on which route is active, the packets either enter or leave through the VPN zone or MPLS zone (X2).
How can I set this up to create access rules only once and not twice (for zones MPLS and VPN)?
Thanks
sonicwall.png
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Did you check the "Failover and LB" under network tab.
Also create floating routes with two separate metrics and setting "Disable route when the interface is disconnected".
Thanks
Also create floating routes with two separate metrics and setting "Disable route when the interface is disconnected".
Thanks
You misunderstood. Routing is not the problem.
My problem is that I want to use the firewall to allow only specific services to specific hosts. And I want to define the rules only once, not twice for both possible ways.
My problem is that I want to use the firewall to allow only specific services to specific hosts. And I want to define the rules only once, not twice for both possible ways.
Hi acbxyz,
I configure this exact scenario with Static Routes and Network Monitor Probes. If that sounds OK with you let me know and I'll provide the instruction.
The goal is when the primary connection between the two sites (direct or MPLS) fails, traffic would automatically be routed through a s2s VPN (policy based)...correct?
Thanks!
I configure this exact scenario with Static Routes and Network Monitor Probes. If that sounds OK with you let me know and I'll provide the instruction.
The goal is when the primary connection between the two sites (direct or MPLS) fails, traffic would automatically be routed through a s2s VPN (policy based)...correct?
Thanks!
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Hi,
sorry for late response.
I've tested and read a lot more and I have to revoke the s2s as we want to use the vpn connection always for some traffic since it has more bandwidth - with worse latency and jitter, but for e.g. printer it's unimportant). So I think we need to set up the vpn with tunnel interfaces and route some services (especially 9100/tcp) that way
So routing on the main office will be:
1. source: 0.0.0.0, dest: 192.168.2.0/24, service: printing, interface: tun0, disable when interface is disconnected (checked)
2. source: 0.0.0.0, dest: 192.168.2.0/24, service: any, interface: X2, gateway: router mpls provider, either with probe or ospf
3. source: 0.0.0.0, dest: 192.168.2.0/24, service: any, interface: tun0
4. route to drop tunnel (?)
But it doesn't answer the question I have here.
Is it necessary to add the same firewall rules in LAN to MPLS and LAN to VPN as well as MPLS to LAN and VPN to LAN
sorry for late response.
I've tested and read a lot more and I have to revoke the s2s as we want to use the vpn connection always for some traffic since it has more bandwidth - with worse latency and jitter, but for e.g. printer it's unimportant). So I think we need to set up the vpn with tunnel interfaces and route some services (especially 9100/tcp) that way
So routing on the main office will be:
1. source: 0.0.0.0, dest: 192.168.2.0/24, service: printing, interface: tun0, disable when interface is disconnected (checked)
2. source: 0.0.0.0, dest: 192.168.2.0/24, service: any, interface: X2, gateway: router mpls provider, either with probe or ospf
3. source: 0.0.0.0, dest: 192.168.2.0/24, service: any, interface: tun0
4. route to drop tunnel (?)
But it doesn't answer the question I have here.
Is it necessary to add the same firewall rules in LAN to MPLS and LAN to VPN as well as MPLS to LAN and VPN to LAN
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Thanks for that guide, but this is what I've got working a long time.
I don't use a network probe since network routes through mpls are distributed via ospf. This is working great.
I don't use a group of network addresses because the priority isn't working correctly besides the subnet routes I get via ospf from the cisco routers of our isp.
And now I ask the fourth time in this thread, what about the firewall?
Auto-Added rules are deactivated. These always allow the whole subnets for all services. We want to configure it as "from ip", "to ip", "these services". While sonicwall is using the zones and vpn is a fixed zone, do we have to define the same rules twice per router?
I don't use a network probe since network routes through mpls are distributed via ospf. This is working great.
I don't use a group of network addresses because the priority isn't working correctly besides the subnet routes I get via ospf from the cisco routers of our isp.
And now I ask the fourth time in this thread, what about the firewall?
Auto-Added rules are deactivated. These always allow the whole subnets for all services. We want to configure it as "from ip", "to ip", "these services". While sonicwall is using the zones and vpn is a fixed zone, do we have to define the same rules twice per router?
Yes, you'd have to do them twice. There is no way, that I know of, otherwise.
P.S. you have asked three times about Access Rules and each time you allude to a different aspects of them...it's a bit difficult to ascertain what you have been trying to ask with the way you word your questions.
P.S. you have asked three times about Access Rules and each time you allude to a different aspects of them...it's a bit difficult to ascertain what you have been trying to ask with the way you word your questions.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Ten words mightier than 1000 words with diagrams.
The nice documentation deserved some mercy.
I actually saved it for later reference. Thank you.
The nice documentation deserved some mercy.
I actually saved it for later reference. Thank you.
You're welcome, glad someone appreciates the effort! jeeze! lol
Networking
--
Questions
--
Followers
Top Experts
Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.