Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

sonicewall interface routing

Posted on 2015-01-28
8
Medium Priority
?
116 Views
Last Modified: 2015-02-07
We have a sonicwall NSA3500 (current firmware SonicOS Enhanced 5.9.0.2-107o)

The other day when we were transferring data from our wireless network to a file server I could not get over 10mbit. I noticed that it was bouncing the gateway! and have no idea why. 90% of the time the wireless devices are going out to the internet so no one noticed this issue.

x1 Lan1 10.10.10.x network gate 10.10.10.254
x3 Lan2 10.10.2.x network gate 10.10.2.254
Both of these interfaces go out through x0 to the internet.

IP of wireless laptop 10.10.2.168 goes out to the internet with zero issues. Can talk to anything on the 10.10.10.x network however they cant join a domain if they are on the 10.10.2.x network...seems to be bouncing the gateway to get back inside to the 10.10.10.x network Or its blocked some how.

Do I have to build a rule to prevent this? Firewalled subnet rule?
0
Comment
Question by:wlacroix
  • 5
  • 3
8 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40577524
Are lan1 and lan2 in different zones? Also are you sure they aren't x0 and x2? Normally x0 is lan, X1 is wan.
0
 
LVL 3

Author Comment

by:wlacroix
ID: 40577579
They are both marked as LAN.
We also have 2 wans on this with different IPs from different providers.

x0 LAN 10.10.10.x
x1 WAN
x2 LAN 10.10.1.x (voice)
x3 LAN 10.10.2.x
x4 unassigned
x5 WAN
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40577971
if x0 and x3 are interfaces with the correct subnet masks, and they are in the same zone, then by default all communication between them should be routed. The nat rules to do this are created automatically when you create the zones, same with x1 (wan). When you add x5 (wan2) you would have to add rules to choose which traffic goes out x5 vs x1. Since the default setup of a single wan and multiple lan subnets in the same zone shouldn't have the problems you are showing, it's probably some custom nat rules causing the problem.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 3

Author Comment

by:wlacroix
ID: 40579906
Aaron, that makes total sense, I did a packet capture and test yesterday and it does NOT go out, but I have another tool that is reporting traffic on the interface and I have no idea why. I think the other tool has led me astray, because so far I cant verify it at all.
0
 
LVL 3

Accepted Solution

by:
wlacroix earned 0 total points
ID: 40584099
So I had a route on one of my other sonicwalls to move the 10.10.2.x traffic, so this was being dropped.

This rule was removed, and recreated on the other sonicwall.
After my test things seem alright now.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40584185
So you had a route in another piece of gear you didn't tell me about and that was causing the problem? Alright, and maybe next time you ask a question you can give all the details. We would have resolved this much quicker if you had explained the whole situation.
0
 
LVL 3

Author Comment

by:wlacroix
ID: 40584557
The original sonicwall that had this stuff still had the left over route in it. I was not part of that change over.
The issue above was with the old device, which had 2 route rules in it that I was unaware of.

So here is what they did.

x3 was moved from an old gateway\sonicwall NSA3500 to a new NSA 3500 on x3, different internet providers. They were trying to minimize downtime.
they built the interface on the new device, deleted the interface on the old device then nothing worked. I was just working on the wireless side bouncing the gateway, unaware of the other ticket that was issued to move this interface to another provider.
Anyway.....
Once this interface was created on the NEW NSA 3500, and moved over nothing worked at all with regards to in\out.

the old NSA was .254, the new NSA was .253
On the .254 they had a route for 10.10.2.x that pointed to the old provider
10.10.10.x and 10.10.2.x could not talk at all, due to old route.

Once I removed the route on .254 it all started working. Then I moved back to my original ticket about the 10.10.2.x network bouncing the gateway.
We did a packet capture on .253 sonicwall
This showed me the 10.10.2.x traffic going to the x0 interface with no issues, and no traffic bouncing the gateway.

At the time this was posted I did not know about the other ticket to move the interface, my apologizes.
0
 
LVL 3

Author Closing Comment

by:wlacroix
ID: 40595456
No solution given by an outside individual, this was handled internally.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question