The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.
Course Of The Month
3 days, 5 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Sonicwall Site-To-Site, MPLS and VPN
Posted on 2013-12-19
Hi,
we have multiple branch offices which we want to connect using Sonicwall router. There is a NSA-2400 at our main location and NSA220 at the remote branches.
We have a MPLS network and we want to create a backup vpn via internet. Via MPLS the packets should be transferred without a vpn connection.
Since the firewall is working zone based, depending on which route is active, the packets either enter or leave through the VPN zone or MPLS zone (X2).
How can I set this up to create access rules only once and not twice (for zones MPLS and VPN)?
Thanks
sonicwall.png
we have multiple branch offices which we want to connect using Sonicwall router. There is a NSA-2400 at our main location and NSA220 at the remote branches.
We have a MPLS network and we want to create a backup vpn via internet. Via MPLS the packets should be transferred without a vpn connection.
Since the firewall is working zone based, depending on which route is active, the packets either enter or leave through the VPN zone or MPLS zone (X2).
How can I set this up to create access rules only once and not twice (for zones MPLS and VPN)?
Thanks
sonicwall.png
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
3
2
10 Comments
Did you check the "Failover and LB" under network tab.
Also create floating routes with two separate metrics and setting "Disable route when the interface is disconnected".
Thanks
Also create floating routes with two separate metrics and setting "Disable route when the interface is disconnected".
Thanks
You misunderstood. Routing is not the problem.
My problem is that I want to use the firewall to allow only specific services to specific hosts. And I want to define the rules only once, not twice for both possible ways.
My problem is that I want to use the firewall to allow only specific services to specific hosts. And I want to define the rules only once, not twice for both possible ways.
Active 4 days ago
Hi acbxyz,
I configure this exact scenario with Static Routes and Network Monitor Probes. If that sounds OK with you let me know and I'll provide the instruction.
The goal is when the primary connection between the two sites (direct or MPLS) fails, traffic would automatically be routed through a s2s VPN (policy based)...correct?
Thanks!
I configure this exact scenario with Static Routes and Network Monitor Probes. If that sounds OK with you let me know and I'll provide the instruction.
The goal is when the primary connection between the two sites (direct or MPLS) fails, traffic would automatically be routed through a s2s VPN (policy based)...correct?
Thanks!
Hi,
sorry for late response.
I've tested and read a lot more and I have to revoke the s2s as we want to use the vpn connection always for some traffic since it has more bandwidth - with worse latency and jitter, but for e.g. printer it's unimportant). So I think we need to set up the vpn with tunnel interfaces and route some services (especially 9100/tcp) that way
So routing on the main office will be:
1. source: 0.0.0.0, dest: 192.168.2.0/24, service: printing, interface: tun0, disable when interface is disconnected (checked)
2. source: 0.0.0.0, dest: 192.168.2.0/24, service: any, interface: X2, gateway: router mpls provider, either with probe or ospf
3. source: 0.0.0.0, dest: 192.168.2.0/24, service: any, interface: tun0
4. route to drop tunnel (?)
But it doesn't answer the question I have here.
Is it necessary to add the same firewall rules in LAN to MPLS and LAN to VPN as well as MPLS to LAN and VPN to LAN
sorry for late response.
I've tested and read a lot more and I have to revoke the s2s as we want to use the vpn connection always for some traffic since it has more bandwidth - with worse latency and jitter, but for e.g. printer it's unimportant). So I think we need to set up the vpn with tunnel interfaces and route some services (especially 9100/tcp) that way
So routing on the main office will be:
1. source: 0.0.0.0, dest: 192.168.2.0/24, service: printing, interface: tun0, disable when interface is disconnected (checked)
2. source: 0.0.0.0, dest: 192.168.2.0/24, service: any, interface: X2, gateway: router mpls provider, either with probe or ospf
3. source: 0.0.0.0, dest: 192.168.2.0/24, service: any, interface: tun0
4. route to drop tunnel (?)
But it doesn't answer the question I have here.
Is it necessary to add the same firewall rules in LAN to MPLS and LAN to VPN as well as MPLS to LAN and VPN to LAN
Active 4 days ago
First you have to answer our questions so that we can communicate on this. You still have not answered mine previously so I can only assume here, but this is what I think you are trying to achieve.
Here is a below example diagram
Before defining the methods to configure the failover, the following factors are assumed to be in place:
A separate route should be created defining the path to take to reach the probe target. Network Monitor Policy would probe the target regularly. Failure of the MPLS connection would also result in the failure of the probe target. When the probe fails, SonicWALL would disable the static route thus allowing the VPN kernel routes (hidden) to take precedence.
When the probe target is reachable again, the static route would be re-enabled, forcing traffic over the MPLS connection.
NSA 2400 LAN Network
NSA 220 LAN Network
NSA 2400 DMZ Network
NSA 220 DMZ Network
NSA 2400 DMZ Gateway
NSA 220 DMZ Gateway
NSA 2400 MPLS Router
NSA 220 MPLS Router
Network Monitor page
Network Monitor page on the NSA 2400 if target is alive
Network Monitor page on the NSA 220 if target is alive
Create a static route to pass all traffic over the direct connection with probing enabled.
1. Disconnect, either physically or logically, the MPLS connection.
2. The Network Monitor policy will become inactive as the probing defined in the policy to the probe target will fail.
3. Consequent to the probe failure, the static route created to route traffic to the other side will be disabled.
4. When the static route is disabled, the VPN kernel routes will be re-enabled and traffic will be forwarded over the VPN tunnel.
5. Re-connect the MPLS connection.
6. The Network Monitor policy will become active again as the probing defined in the policy is successful.
7. When the probe succeeds the static route will be re-enabled automatically.
8. As static route takes precedence over VPN routes, traffic will again be routed through the direct or MPLS connection.Let me know how it goes!
P.S. The images mention NSA 240 but just substitute them for NSA 220 - all applies in the same manner.
Here is a below example diagram
Before defining the methods to configure the failover, the following factors are assumed to be in place:
1. That a site to site VPN has been configured correctly and tunnel is up.
2. That a direct or MPLS connection exists between Site A and Site B.
3. That although a direct connection exists between Site A and Site B, traffic is passing to the other side over the VPN tunnel.
2. That a direct or MPLS connection exists between Site A and Site B.
3. That although a direct connection exists between Site A and Site B, traffic is passing to the other side over the VPN tunnel.
The configuration for failover
Create a probe-dependent static route to route all traffic destined to the remote MPLS network. This route would take precedence over the VPN route. The probe target should be the IP address of the MPLS router on the other side. The probe target is defined by creating a Network Monitor Policy under Network > Network Monitor.A separate route should be created defining the path to take to reach the probe target. Network Monitor Policy would probe the target regularly. Failure of the MPLS connection would also result in the failure of the probe target. When the probe fails, SonicWALL would disable the static route thus allowing the VPN kernel routes (hidden) to take precedence.
When the probe target is reachable again, the static route would be re-enabled, forcing traffic over the MPLS connection.
1. Create Address Objects
Create the following address objects under Network > Address Objects and group them.NSA 2400 LAN Network
NSA 220 LAN Network
NSA 2400 DMZ Network
NSA 220 DMZ Network
NSA 2400 DMZ GatewayNSA 220 DMZ Gateway
NSA 2400 MPLS Router
NSA 220 MPLS Router
2. Create a Network Monitor Policy
The probe target is defined by creating a Network Monitor Policy under Network > Network Monitor.Network Monitor page
Network Monitor page on the NSA 2400 if target is alive
Network Monitor page on the NSA 220 if target is alive
3. Create Static Routes
Create a static route to route traffic to the probe target. (Network > Routing)Create a static route to pass all traffic over the direct connection with probing enabled.
4. Here's How to Test
On creating the routes traffic would be forwarded through the direct or MPLS connection. The site to site VPN policy would still show as up with a green light. To test whether failover and fallback is functioning as intended, perform the following:1. Disconnect, either physically or logically, the MPLS connection.
2. The Network Monitor policy will become inactive as the probing defined in the policy to the probe target will fail.
3. Consequent to the probe failure, the static route created to route traffic to the other side will be disabled.
4. When the static route is disabled, the VPN kernel routes will be re-enabled and traffic will be forwarded over the VPN tunnel.
5. Re-connect the MPLS connection.
6. The Network Monitor policy will become active again as the probing defined in the policy is successful.
7. When the probe succeeds the static route will be re-enabled automatically.
8. As static route takes precedence over VPN routes, traffic will again be routed through the direct or MPLS connection.Let me know how it goes!
P.S. The images mention NSA 240 but just substitute them for NSA 220 - all applies in the same manner.
Thanks for that guide, but this is what I've got working a long time.
I don't use a network probe since network routes through mpls are distributed via ospf. This is working great.
I don't use a group of network addresses because the priority isn't working correctly besides the subnet routes I get via ospf from the cisco routers of our isp.
And now I ask the fourth time in this thread, what about the firewall?
Auto-Added rules are deactivated. These always allow the whole subnets for all services. We want to configure it as "from ip", "to ip", "these services". While sonicwall is using the zones and vpn is a fixed zone, do we have to define the same rules twice per router?
I don't use a network probe since network routes through mpls are distributed via ospf. This is working great.
I don't use a group of network addresses because the priority isn't working correctly besides the subnet routes I get via ospf from the cisco routers of our isp.
And now I ask the fourth time in this thread, what about the firewall?
Auto-Added rules are deactivated. These always allow the whole subnets for all services. We want to configure it as "from ip", "to ip", "these services". While sonicwall is using the zones and vpn is a fixed zone, do we have to define the same rules twice per router?
Active 4 days ago
Yes, you'd have to do them twice. There is no way, that I know of, otherwise.
P.S. you have asked three times about Access Rules and each time you allude to a different aspects of them...it's a bit difficult to ascertain what you have been trying to ask with the way you word your questions.
P.S. you have asked three times about Access Rules and each time you allude to a different aspects of them...it's a bit difficult to ascertain what you have been trying to ask with the way you word your questions.
Ten words mightier than 1000 words with diagrams.
The nice documentation deserved some mercy.
I actually saved it for later reference. Thank you.
The nice documentation deserved some mercy.
I actually saved it for later reference. Thank you.
Featured Post
MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
- Superb Internet
- Hardware Firewalls
- Security
- Server Hardware
- Server Software
- *firewall management, *firewalls
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually.
After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month3 days, 5 hours left to enroll
695 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.