I'm in a bit of a pickle. We seem, to me at least, to have an overly complex network. I understand how it ended up this way but it's complexity is causing all kinds of issues.
Here's the setup in words, I've attached a sanitized network map to assist.
All the firewalls referred to are sonicwalls.
Our main campus has two large buildings. They share the 192.168.100.x/255.255.255.
0 network. There are way more than 254 devices. The buildings have fiber between them so they are essentially the same. But….
This same network has TWO default gateways (different firewalls) utilizing different ISPs, both are in different buildings. Hosts in both buildings use a mashup of different gateways depending on the ISP they need to use. So building A may have devices that use the DG from building B and vice versa.
Adding to this mess are the off campus sites that VPN into building B’s firewall. Those sites of course have their own subnets, their own local internet connections etc.
Building A’s firewall has routes in it so that it knows that the VPNs exist on firewall B.
The help alleviate some of the address shortage I created 192.168.103.x for my network devices.
To do this I activated an interface on firewall A with the address 192.168.103.1 and all the devices on that subnet point to that DG.
Firewall B has a route for 192.168.103.x that points to its lan interface (X0) with a DG of firewall A.
This has helped and all devices, irrespective of their DG can contact all of the other networks.
Here’s the pickle.
We need to be able to use firewall A as a backup VPN gateway for firewall B. Meaning if B’s internet goes down, all the VPN connections need to go to firewall A. This works fine. The off campus sites renegotiate and connect to firewall A without issue. But, since all the routing is static, when the sites reconnect to firewall A they can’t connect to any of the networks on firewall A because, I’m guessing, the devices they need to talk to use firewall B as a DG.
If this situation existed for hours or days I’d just change the routes (which I know works). However, this is usually a 10 or 20 minute failover and I can’t make all the changes that quick. I should think that this kind of thing is a normal failover situation that has a solution.
The bigger issue for me is that firewall A and B are in different physical locations so I can’t technically wire them together for a normal failover unless I’m missing something.
Keep in mind- these firewalls are on the same network- 192.168.100.x.
All that said here’s what I’m after:
I want to breakup this network, preferably without vlans.
I’d like the firewalls to work in tandem for VPN failover without the need to manually change routes- and possibly allow workstations and servers to utilize them in the same way without all the routing issues.
Ideally I’d like the main network to be 192.168.100.x, wifi devices on 192.168.101.x and my management/devices on 192.168.103.x.
My preference is to do this without vlans. The thought of having to configure the switches port by port for a vlan worries me and I believe adds another layer of complexity.
Any thoughts, guidance, advice, direction are welcome.