SD-WAN integration using backhauled internet through a Sonicwall NSA 3600 series
Posted on 2016-09-21
We're getting ready to implement an SD-WAN solution with our in-place Sonicwall NSA 3600 (running SonicOS Enhanced 220.127.116.11-20n). Our Sonicwall currently does all our packet inspection/Gateway AV/AS and application control. We're currently configured in a more or less traditional way. LAN on X0 (HQ LAN) , WAN on X1 and we've added a zone called FIBER on X4 which is a layer 2 transport service for site to site communication. We use X4 to pre-inspect branch site data before it get's access to the HQ LAN/servers or is routed to the internet.
We're re-configuring each site on the transport service to use two internet connections instead and each site will have it's own SD-WAN box. The SD-WAN provider supports "backhaul internet to HQ" so we can funnel internet traffic into our Sonicwall, like we are currently. You can configure the LAN switch ports on our SD WAN solution to be specific VLANs so we're using 2 ports for "LAN" traffic and 2 ports for "internet" traffic on the HQ unit in an attempt to "route in and route out" of the Sonicwall to get usage of it's security services.
Here's our biggest catch/complication: To get the most out of our SD-WAN's monitoring capabilities, we need to Not NAT our WAN traffic (although the SD-WAN will NAT for us before hitting the internet). Unfortunately, the Sonicwall has a default NAT rule for the WAN interface to hide your traffic behind your internet IP. You can't change it or delete it. To further complicate matters, you can't specify an interface with a default gateway unless it's part of the WAN zone. You also can't create a new zone and establish a different 0.0.0.0/0 route to get away from the NAT problem - at least not without enabling advanced routing which is far beyond my skill in networking.
It appeared Layer 2 Bridging or Layer 3 splicing (the only 2 options that seem to still exist at this stage in SonicOS) would be our solution as it bypasses the NAT issue altogether. When I called Dell Sonicwall support for clarification, I was informed, "you can't route to interfaces that are part in a bridge pair". That statement seems to be at odds with what I've read online and he further compounded it with." 'Layer 3 transparency/splice' also can't be routed to" (it says Layer 3??).
I've tried some experimenting with a TZ215 on SonicOS 5.9 but it seems like I'm fighting that model more often than I'm configuring it.
In short - for what we're trying to do, what would be the best approach that would get our FIBER LAN traffic and our HQ LAN traffic inspected through the Sonicwall, WITHOUT NAT to our "WAN" interface (or whatever we have to create) ? Pre-inspecting the branch site data before it hits the LAN is nice, but it's not absolutely required, it's definitely in the "nice to have" category. The big key is getting to our "WAN" with NAT - OFF. Individual site protocol/application traffic will already be monitored through its individual SD-WAN box so the big kicker is we can't get protocol/application breakdown from our SD-WAN for our HQ LAN because of the NAT issue.
Is there a better way to do this? Was the Dell technician correct? What's the best way to go about this?