Route Sonicwall TZ215 to Draytek 2860 LAN via Draytek WAN
I have a network on 192.168.1.x consisting of a Windows DHCP server, various client devices and going out via a Sonicwall TZ215.
I am installing a VOIP system which I am putting behind a Draytek 2860n doing DHCP on LAN 192.168.2.x.
The Draytek will have its own broadband connection shortly to WAN1 but in the meantime I am setting its WAN2 port to use the existing broadband on the 1.x network. It will get a DHCP address of 192.168.1.254. This will remain in place when WAN1's broadband comes active both as a failover but also because I want to link it to the LAN objects within 1.x. I want the client PC's in 1x. to be able to access the IP phones in 2.x.
It would be much easier to put everything on the one subnet but I don't want the phones to be reliant on the Windows server in any way. Nor do I want to assign the phones static IP's.
I have not done this before and am not sure what settings I need in which router to allow 1.x to bridge over to 2.x given that the Draytek will be doing NAT behind WAN2 by default. I am not sure if I need to configure a static route, IP routed subnet, or load balance policy in the Draytek. Or perhaps a VPN. Any guidance would be appreciated.
I am installing a VOIP system which I am putting behind a Draytek 2860n doing DHCP on LAN 192.168.2.x.
The Draytek will have its own broadband connection shortly to WAN1 but in the meantime I am setting its WAN2 port to use the existing broadband on the 1.x network. It will get a DHCP address of 192.168.1.254. This will remain in place when WAN1's broadband comes active both as a failover but also because I want to link it to the LAN objects within 1.x. I want the client PC's in 1x. to be able to access the IP phones in 2.x.
It would be much easier to put everything on the one subnet but I don't want the phones to be reliant on the Windows server in any way. Nor do I want to assign the phones static IP's.
I have not done this before and am not sure what settings I need in which router to allow 1.x to bridge over to 2.x given that the Draytek will be doing NAT behind WAN2 by default. I am not sure if I need to configure a static route, IP routed subnet, or load balance policy in the Draytek. Or perhaps a VPN. Any guidance would be appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
kenfcamp
masnrock has made a valid point.. Unless there's a specific need for the Draytek that we are unaware of, you might want to consider modifying your setup
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree about the sonicwall doing everything, but just for fun you can totally use the draytek like you want.
The way you described the 2.x computers will be able to access the 1.x subnet without doing anything.
If you want 1.x computers to access 2.x, In the sonicwall:
Make an address object for the draytek 1.254
Add a route for the 2.x subnet to use the 1.254 address object as the gateway
Then you just have to allow this upstream connection in the draytek. I don't use draytek so I can't tell you exactly how to do this but I've set this up with other routers for various reasons with success.
The way you described the 2.x computers will be able to access the 1.x subnet without doing anything.
If you want 1.x computers to access 2.x, In the sonicwall:
Make an address object for the draytek 1.254
Add a route for the 2.x subnet to use the 1.254 address object as the gateway
Then you just have to allow this upstream connection in the draytek. I don't use draytek so I can't tell you exactly how to do this but I've set this up with other routers for various reasons with success.
nappy_d raised another valid point. Were you planning to do VLANs on your switch or were you planning to get a separate switch?
ASKER
Lots of useful points here. First up, I will ditch the Draytek - less kit to worry about. Part of the reason was my greater familiarity with the Draytek, but also because I didn't realise the Sonicwall was able to do what masnrock indicated. At present Sonicwall X0 is LAN, Sonicwall X1 is WAN, the rest are unassigned. So what I will do is configure X2 as a failover WAN, plugged straight into a fibre modem; configure X3 as a DHCP server for 2.x zone and plug the new VOIP network switch into that.
I'm happy enough with configuring X2 as another WAN and configuring load balancing.
To make the Sonicwall perform DHCP on just port X3 - I'm not sure of the exact steps. At present X3-6 are mapped as a Portshield interface to X0 - I assume I take X3 out of this first? Then Interfaces > X3 - choose LAN, Static IP mode, give it an IP of 192.168.2.1 and tick HTTP management options.
Then DHCP > enable DHCP server, delete the two lease scopes currently there (must have been there by default or left as legacy by old IT provider), add Dynamic scope, tick 'interface pre-populate' and choose X3?
I assume it's possible for the Sonicwall to route between 1.x and 2.x then, but again, what are the exact steps involved? Will the device just allow this by default or do I need to add a route of some kind?
masnrock - I have a separate switch planned for the VOIP system. There is a HP 1910-24G-PoE ready to install. At present the IT network runs off a HP 1410-24G (unmanaged). Am I correct in saying that this would eliminate the need for VLANS if the switches will be operating on different subnets? (The 1920 is VLAN/QoS capable though)
Sorry for the repeated questions but the above is slightly unfamiliar territory for me.
I'm happy enough with configuring X2 as another WAN and configuring load balancing.
To make the Sonicwall perform DHCP on just port X3 - I'm not sure of the exact steps. At present X3-6 are mapped as a Portshield interface to X0 - I assume I take X3 out of this first? Then Interfaces > X3 - choose LAN, Static IP mode, give it an IP of 192.168.2.1 and tick HTTP management options.
Then DHCP > enable DHCP server, delete the two lease scopes currently there (must have been there by default or left as legacy by old IT provider), add Dynamic scope, tick 'interface pre-populate' and choose X3?
I assume it's possible for the Sonicwall to route between 1.x and 2.x then, but again, what are the exact steps involved? Will the device just allow this by default or do I need to add a route of some kind?
masnrock - I have a separate switch planned for the VOIP system. There is a HP 1910-24G-PoE ready to install. At present the IT network runs off a HP 1410-24G (unmanaged). Am I correct in saying that this would eliminate the need for VLANS if the switches will be operating on different subnets? (The 1920 is VLAN/QoS capable though)
Sorry for the repeated questions but the above is slightly unfamiliar territory for me.
ASKER
It's really not too bad, You go within the DHCP server, and make sure to enable ONLY the DHCP range for the subnet of your VOIP LAN.
Yes, take X3 out of the Portshield group to X0. Correct again about the steps to make X3 a LAN port. The Sonicwall will automatically create a lease scope for DHCP. (Occasaionally it may not, but that is easy to define if you need to.) Just make sure to 1) enable the DHCP server, and 2) enable the scope that reflects 2.x (leave 1.x unchecked unless you want to have the Sonicwall start to handle DHCP for the 1.x LAN as well). I don't know what the lease scopes listed are, but you can delete them if you know for sure that they are useless. Disabling them won't hurt anything, that way you can just reenable if for some reason something happens.
Sonicwalls will generally allow routing between the subnets by default. But it you look within the Firewall rules, it will be a LAN > LAN rule if you ever need to review.
If you are going to use a separate switch for the VOIP network, there is no need for VLANs. That is absolutely correct.
You pretty much have the right idea of what to do.
Yes, take X3 out of the Portshield group to X0. Correct again about the steps to make X3 a LAN port. The Sonicwall will automatically create a lease scope for DHCP. (Occasaionally it may not, but that is easy to define if you need to.) Just make sure to 1) enable the DHCP server, and 2) enable the scope that reflects 2.x (leave 1.x unchecked unless you want to have the Sonicwall start to handle DHCP for the 1.x LAN as well). I don't know what the lease scopes listed are, but you can delete them if you know for sure that they are useless. Disabling them won't hurt anything, that way you can just reenable if for some reason something happens.
Sonicwalls will generally allow routing between the subnets by default. But it you look within the Firewall rules, it will be a LAN > LAN rule if you ever need to review.
If you are going to use a separate switch for the VOIP network, there is no need for VLANs. That is absolutely correct.
You pretty much have the right idea of what to do.
Are the two LANs going to use the same connection always? Or will VOIP be using the new connection that is coming in? No right or wrong answer, just depends on you.
Also, I would not route all traffic but rather only the traffic for VoIP to x3
ASKER
masnrock - the two LANs are going to use the same connection - there's more than enough bandwidth. Once the new connection is up, I might look into routing VOIP traffic exclusively via WAN x3, which I guess will be a separate question on EE :) nappy_d - I assume that is what you mean. If that WAN drops, set the devices to use WAN x1. Similarly, if the I.T. network's WAN x1 drops, the Sonicwall should fail over to WAN x3. Is this achievable? This is my final question on this topic, you guys have earned your keep by this stage.
The short answer is yes, this is achievable. ANd rather than type out a whole ong thing, here's a link that gives you the steps: Sonicwall Failover Directions
Basic Active/Passive Failover is what is applicable in your case.
Basic Active/Passive Failover is what is applicable in your case.
ASKER
Worked a treat guys. Plugged the new switch into port X3, 2.x addresses came up just as I wanted, so I must've got the settings correct. The auto-added access rule allowed routing from 1.x to 2.x just as masnrock said it would. Very happy - thanks for everybody's input.