Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Creating secondary gateway/WAN for redundance

Our upstream provider has two gateways for redundancy. They have seperate Ips. Our sonicwalls are setup for HA. I'd like to have both the provider routers attached to each sonicwall for redundancy/failover. From reading, looks like Wan failover is what fits best for this scenario? Any other ways I should implement this?

Category: High End Firewalls
Reply
«1

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    as @Halon5 mentioned FLB (Failover & Load-Balancing) is pretty good, in your case a Switch with two seperate VLANs (WAN1 & WAN2) attached to your SonicWall Appliances (e.g. X1 (WAN1) & X2 (WAN2)) should do the trick. If your routers have a built-in switch you're good as well. But you need Network Probes to have this working properly, because the ethernet-link of the Interface is always up, which does not mean the connection is working.

    On the other hand maybe SD-WAN is another option, but I would with FLB first.

    --Michael@BWC

  • djhurt1djhurt1 Newbie ✭

    What you both are suggesting sounds like it could fit with my scenario. It looks as if I'd have to setup two WAN ports. I have one Ip address assigned to our current WAN port, and it is unique as it has our web mail serverbehind it, VPNs and various other permanent links. Is it possible to setup what you're proposing with a common Ip address?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    your gateways have seperate IPs so you should be good. Having X1 and X2 as WAN Interfaces, just make sure that both primary and backup applianc is connected to correct switch. The public IP is bound to the HA-address (active appliance), not to the individual firewall appliance. Except you wan't to monitor both appliances via WAN, that that would need additional addresses.

    From my experience you should make sure that your VPN policies are then bound to Interface X1 instead of Zone WAN, depending on your environment of course.

    --Michael@BWC

  • djhurt1djhurt1 Newbie ✭

    Michael,


    Can you tell why you suggest VPN policies should be bound to X1? Our X1 interface is currently not assigned. I'm inexperienced with Sonicwall obviously.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    X1 not assigned? That's not common, but my recommendation works for other WAN interfaces as well, you always should bind the VPN to the specific Interface, whatever it is X2, X3, etc.

    This makes sure that outbound (initiating) VPN connections are assigned to the correct WAN link, which IP is usually checked on the remote site. Or you wanna assign a specific WAN port for VPN only.

    Check this out, it explains it probably better than I'am able to:


    Hope this helps a bit.

    --Michael@BWC, (your friendly Overlord)

  • djhurt1djhurt1 Newbie ✭
    edited April 13

    Michael,


    The information you've provided has been very helpful! I'm looking at these things now and it appears all of our VPNs are bound to WAN. Per the info. you provided, I'll have to change that. However I do have one quick question on the subject. I'm a noob with SonicOS so bare with me.


    Looking under Manage-->VPN-->BaseSettings I see two policies:

    WAN GroupVPN and WLAN GroupVPN.

    These "appear" to be default policies and cannot be deleted on our device. One appears to be for our global VPN client users and the other is not enabled. It's odd to me that these are default and cannot be deleted. Can you elaborate on why they would be required to exist? I'm trying to get a good grasp of all the parts before I implement any changes.

  • PescePesce SonicWall Employee

    @djhurt1 remember to add static arp per each IP you configured on WAN as well. this will help a lot if you configure any access rule coming from wan to any other zone configured on wan.


    Cheers!

    "There are no bugs...it's all about features..."

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    the GroupVPN policies are created by default and related to the Network -> Zones settings, you cannot uncheck the "Create GroupVPN" in Zone WAN and WLAN. If you don't need them, just disable them on the VPN settings page.

    The Zone binding for these Policies isn't a big problem IMHO, because they are only used inbound and the SonicWall is acting as the responder. The VPN tunnels are initiated by the clients remotely.

    About what @Luca_Fish_Pesce wrote I'am not 100% d'accord, because I never configured static arp entries, this is usually automatically handled by the NAT rules, if you translate traffic for multiple addresses to internal resources. But ARP on the WAN interface can be some other beast to fight.

    --Michael@BWC

  • Yes I also wish to comment that in most cases the ISP will route the blocks of IPs to the firewall WAN interface IP, and thus no static ARPs are needed. Some ISPs do act differently and have a dedicated GW IP address, used on the upstream router, for the second block of public IPs. In that scenario, static ARPs and a static route are needed. I will try to find a KB article on this for us.

  • djhurt1djhurt1 Newbie ✭
    edited April 15

    This question doesn't deal directly with my original question however it does fit within the scope of the project.

    Digging further into the Sonicwall. I'm seeing interface X0 and X2 assigned in the following address objects:

    X0 IP10.44.255.1/255.255.255.255 Type:Host

    X0 Subnet10.44.255.0/255.255.255.252 Type:Network

    X2 IP10.44.255.5/255.255.255.255 Type:Host

    X2 Subnet10.44.255.4/255.255.255.252 Tyep:Network


    Neither of these address objects can be deleted. It seems odd to me that anyone would purposely assign such a small subnet so I'm doubtful that "we" set them this way. Are these default address assigned or for management purposes? Neither one of these ports are connected but there is 3 NAT policies that reference these ports.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    the objects you mentioned are automatically created and reflect the interface settings for X0 and X2. Usually such small networks are created only if there is a nother router (core switch) and the subnets are only used as transfer networks. But this is just a guess.

    --Michael@BWC

  • djhurt1djhurt1 Newbie ✭

    All of the information that's been given so far has been very helpful. I think I need to get more familiar with the SonicOS itself going forward. Oddly enough, I cannot find a general guide outside of very specific "how tos". Anyone have a link to a guide to get more insight into the SonicOS that covers the basics?

  • ChrisChris Administrator
    edited April 22

    Hi @djhurt1 ,

    Here is some documentation on SonicOS https://www.sonicwall.com/support/technical-documentation/?language=English

    You can also filter by specific document type depending on what you are looking for.

    Community Manager of SonicWall. Feel free to @Chris if you have any questions or concerns about the community.

  • djhurt1djhurt1 Newbie ✭

    Thank you for the link. I browsed those articles previously however I couldn't find much outside of very specific how tos for tasks that are geared towards someone already knowledgeable of SonicOS. I think I need more explanation for Objects, interfaces and generally how things flow through the device. Anything like that you're aware of?

  • MasterRoshiMasterRoshi Moderator

    Read everything about SonicOS 6.5 form a techdocs standpoint. We have some training on SonicWall University as well.

  • NevyadithaNevyaditha Moderator

    Hi @djhurt1 ,

    For the detailed description of differnet topics I would prefer you to go with admin guide as it will include a lot of detailed information.

    For admin guide for the gen 6 latest I have listed the KB below :

    Thanks

    Nevyaditha P

    Nevyaditha P

    Technical Support Advisor, Premier Services

  • djhurt1djhurt1 Newbie ✭

    Michael@BWC,


    I'm wondering about this statement currently:

    X1 not assigned? That's not common, but my recommendation works for other WAN interfaces as well, you always should bind the VPN to the specific Interface, whatever it is X2, X3, etc.

    This makes sure that outbound (initiating) VPN connections are assigned to the correct WAN link, which IP is usually checked on the remote site. Or you wanna assign a specific WAN port for VPN only.


    If I bind all VPNs to the current WAN, do I need(or can I) bind it to the secondary WAN? Just double checking the details.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    you only need to bind the VPNs on the line you want, maybe for redundancy reasons you could use multiple VPN connections to each WAN interface. Or you could distribute the VPN connections over all WAN interfaces for performance reasons.

    --Michael@BWC

  • djhurt1djhurt1 Newbie ✭

    Michael@BWC


    This is confusing to me. My understanding is that I'll need two WAN interfaces on each appliance(upstream providers gateways each have unique Ips), won't my existing VPNs need to be bound to both in the event one of providers gateways goes down? Otherwise I'd need to manually change the binding in the event of a failure to get my VPNs back up. Perhaps I'm way off base though.

  • John_LasersohnJohn_Lasersohn Moderator
    edited May 11

    Hello DJHURT1:

    When using two of our firewalls in HA, there is no requirement to have each one with unique public IP addresses on the WAN. You can configure the Network Interface on the active unit in the HA pair, and then the active unit will use that IP in production and fail over that interface to the standby unit gracefully. The VPNs will sync if you use Stateful HA. So if you have two WANs, you would have both WAN Failover and HA together. This is a very common deployment scenario.

    For VPNs, Policy-Based S2S VPNs have "Zone WAN" as the binding by default, though you can specify a single WAN if you wish. This is a moot point unless peer VPN appliance doesn't specify *both IPSec GWs* which point to the two main site firewall WAN IPs (see attached image).

    I hope this helps.


  • djhurt1djhurt1 Newbie ✭

    JOHN_LASERSOHN


    From your reply it appears that I will in fact need to configure a 2nd WAN inteface then but I can leave VPN policies set to "Zone WAN"? Our gateways internally have unique Ips but virtual Ip on the external so that IP stays the same outside looking in.

  • Hello DJHurt - I don't think I can grasp your deployment based on text alone. I will message you with my email address at work so that you can send me a diagram, one fully labelled with every devices' IP / mask / GW, so that I can properly advise you.

  • djhurt1djhurt1 Newbie ✭

    After speaking with another gentleman via email, this will not work for me unfortunately since both our gateway Ips are on the same subnet. I'm checking now if we have access to the whole subnet, which I doubt, but then I could subnet the block but outside of that, I'm at a loss how to make this work. Any other suggestions?

  • You can look up ownership of IP blocks via whois sometimes (you must expand "Detailed WHOIS Response"): https://tools.dnsstuff.com/#whois|type=ipv4&&value=67.115.118.5

    SonicWallsInc SBC067115118000020220 (NET-67-115-118-0-1) 67.115.118.0 - 67.115.118.255
    AT&T Corp. SBCIS-SIS80 (NET-67-112-0-0-1) 67.112.0.0 - 67.127.255.255
    


  • fmadiafmadia Moderator
    @djhurt1 based on your description here, I believe you can achieve a redundant VPN tunnel if you have 2 separate WAN Interfaces by either configuring a S2S VPN and bind it to the WAN zone (which includes both X1 and X2) or else configure 2 Tunnel Interface VPNs and bind each of them to a specific interface, then based on routes priorities the traffic will be sent to either VPN 1 or VPN 2.

    If you haven't configured the 2nd WAN yet, we might need to take a look at your deployment - will you be able to provide more details?
  • djhurt1djhurt1 Newbie ✭
    edited June 8

    @fmadia

    It looks like we have a whole /28 subnet we can use. I can subnet this to a /29. I guess the question now is if I subnet, which solution would be easier to implement. Your latest suggestion or the original suggestion from earlier in this thread?

  • djhurt1djhurt1 Newbie ✭
    edited June 12

    Getting back to this project, we have two default entries for X4 interface. I'll be changing the subnet mask during this switch. I'll assume that once I make the change on the X4 interface in Network-->Interfaces, then the X4 IP and X4 Subnet default address object entries will change automatically?


    Secondly, it's possible the answer to this one is right in front of me but it's been a long day and I'm tired. Why does the X4 IP entry show the mask as all 1s' and not the /28 mask specified on the interface itself?


  • shiprasahu93shiprasahu93 Moderator

    @djhurt1 ,

    Yes, once you make changes on Network | Interfaces for X4, it will automatically reflect on all default address objects and wherever those objects are used will also be updated.

    X4 IP shows the subnet mask as 255.255.255.255 which is /32 as it is a host type address object. That is true for any host type address object that you create or are present by default.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • djhurt1djhurt1 Newbie ✭
    edited June 15

    Getting back to this we can subnet our Ip space so our two upstream providers gateways will be on seperate networks. We have HA Active/Standby currently. We're trying to get redundancy using the 2 gateways the upstream provider has given, each having a seperate Ip address, so 2 provider gateways on seperate networks in the event one of the providers gateways fail. I should configure a second WAN interface for secondary gateway. I will create a new vlan on our current switch for the link between sonicwalls and gateways. Does this generally appear correct to achieve what I'm hoping for on the soncwalls?

Sign In or Register to comment.