Second Sonicwall on same LAN segment

We have a Sonicwall 3600 with the LAN interface configured for 192.168.44.254.  This firewall is managed by a third party and that is not going to change anytime soon.  Have purchased a second Sonicwall (TZ400) to connect to a new fiber circuit.  Intention is to move a group of users to the new Sonicwall which will also give us autonomy in managing what we need in a timely manner. There is one problem - we still need to access resources through a VPN which is configured on the 3600.  The third party vendor will not configure a second site to site VPN for us.  So this is what they are proposing:
 - Configure the new Sonicwall LAN interface to 192.168.44.253 and connect it to existing 192.168.44.0 network.  Change the default    gateway of the computers to 44.253 and enter a static route to reach the VPN via the 44.254 address.  Sounds fine in theory, not sure it's the best way to tackle this problem however.

The problem is when we connect the new Sonicwall to the 44.0 network, all traffic routes through the 3600 via 192.168.44.254.  We removed the static route and uplink cable and everything returns to normal routing through 44.253 and out the proper WAN connection.

1)Is it possible that the two Dell PowerConnect switches we are using are providing dynamic routing through 44.254 even though the gateway of the computers are set to 44.253.  These are just layer 2 switches.
2)Is there another configuration that would be more preferable?

Thank you!
WebccAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
You need to disable one of two conflicting DHCP servers.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
The 3600 is still connected to the Internet to supply the VPN, but you want to use the new fiber as "main" internet connection, I suppose?

» Configure the new Sonicwall LAN interface to 192.168.44.253  -- ok
» connect it to existing 192.168.44.0 network  -- ok
» Change the default gateway of the computers to 44.253  -- ok
» enter a static route to reach the VPN via the 44.254 address  -- should be done on the TZ only.

This being a static config, everything is fine. "The problem is when we connect the new Sonicwall to the 44.0 network, all traffic routes through the 3600 via 192.168.44.254." This is not possible if the TZ is the default gateway. The switches should not be involved at all.
"We removed the static route" - what exactly was that route? Did you check on clients whether they had two default gateways (wrong)?
Is DHCP configured? And which device is the server then?
0
davorinCommented:
Agree with Qlemo.
Probably there is (was) something wrong with static route on TZ400 (192.168.44.253).
In the rule you should define just the network of the remote VPN site to be routed over 192.168.44.254. Suggested must work.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

WebccAuthor Commented:
Yes, want to seperate this subnet(except for the VPN)and have it use the fiber circuit.

Disconnected uplink cable to 44.0 network and removed the static route.  Can run just fine through the new Sonicwall and out the fiber circuit.  We are testing with just one computer with the IP configuration static'd using 192.168.44.253 as the default gateway.   Then when we connect the uplink cable to the 44.0 network and after maybe 10 minutes or so the traffic begins to flow through the 3600 (44.254).  Keep checking the WAN connection and doing a tracert and whatismyip to confirm.  

DHCP has been disabled and is only running on our Windows server.  The test computer as I said is setup statically.  

Strangest thing.
0
davorinCommented:
What does this precisely mean "Then when we connect the uplink cable to the 44.0 network"?
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Sounds like a dynamic route update, using RIP or similar protocols. The device dealing with the uplink is responsible for doing that.
Can you see whether the default gateway changes on the SonicWall or the clients?
0
WebccAuthor Commented:
So, I checked the PowerConnect switches (Layer 2) and turned off STP - same problem, then isolated the two firewalls on a catalyst switch with the one test computer.  After a few minutes, same problem.  Took an unmanaged DLink switch and plugged the two firewalls and test computer - worked!   Let run about 20 mins that way.  Connected back to the PowerConnect switches and almost immediately I had the same problem.  According to "route print" from the test computer it still shows the right default gateway of 192.168.44.253.   Has to be dynamic routing on the PowerConnects  and Catalyst, but they are both just layer 2 switches, didn't thing they would cause routing issues.   Can LLDP cause this?  What am I missing here??

Thanks.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
See if you have OSPF, BGP and similar routing protocols available at the switches - you should *not*, and if, they should not be enabled. The TZ should also not have those routing protocols active.

Meanwhile, a workaround is to define a "more specific default route" on the TZ. In fact, two routes:
  0.0.0.0 mask 128.0.0.0 gateway (WAN Fiber IP)
  128.0.0.0 mask 128.0.0.0 gateay (WAN Fiber IP)
0
WebccAuthor Commented:
Why the use of the "128.0.0.0"?
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
The first route is 0.0.0.0/1, and applies only to addresses 0.0.0.0 to 127.255.255.255. That is why the second route is needed.
And we do that, as those two routes are more specific than the default route, and hence are always checked first. So if the default gateway changes, or an additional default route is registered, it won't be used.
0
WebccAuthor Commented:
Are these routes entered correctly, because they have no effect?
Before routes were entered.Routes added.Thanks.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
No. The mask is not supplied with the routes. I don't know if it is correct to have no gateway (it should be determined via the interface settings, and might be ok that way).
0
WebccAuthor Commented:
Still not working, may those routes are wrong.
0
davorinCommented:
If you look at page 217 at the top of the picture is set RIP route advertisement. What do you have set? (Looking at pictures you probably don't have sonicos v5.3) Can you check your version?

http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.3_Admin_Guide_TZ.pdf
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WebccAuthor Commented:
RIP and OSPF are disabled.
Will have to verify the version when I'm onsite.
0
WebccAuthor Commented:
Firmware version:   SonicOS Enhanced 6.2.3.1-19n

Can I create routes to both giving the .253 a greater administrative distance, like 1 and .254 a value of 5?
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
The SonicWall should be able to use the metric / distance setting. In Windows it does not work reliably. So yes, that could help. But not if there is some dynamic routing involved.
BTW, RIP and OSPF might be enabled on .254. I don't know if the RIP setting in .253 also prevents it from processing RIP notifications.
0
WebccAuthor Commented:
Yes I was guessing that RIP and/or OSPF are enabled on the .254.  I can disconnect .253 SW and have a computer set to use .253 and it will still have access through the .254 just as though there was no default gateway specified on the computer.
0
WebccAuthor Commented:
Actually, changed the default gateway on Sonicwall 2 to .252 and everything routed properly.  Giving you guys credit for the time you put in.  Still don't know exactly why unless there is a device configured for .253.  Ran IP scans and pings to that address and there is no response.  I have never setup a device with that IP.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.