Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sonicwall route tables

My question isn't specific so Sonicwall but I hoped the firewall pros here could offer insight. Our internal lan is let's say for example 10.44.0.0/24 subnets so 10.44.1.0, 10.44.2.0 etc. The LAN interface on sonicwall has been configured as 10.44.0.2/29. This address is configured as the gateway on our core router. There was then a custom route added in sonicwall for this network with a /16 mask and the gateway is our core routers IP. Even more confusing is on the core router side, the route is configured with the sonicwall as it's default gateway but the 10.44.0.0 network is configured as /30. Can anyone offer insight is why this would have been done? I only discovered the oddity while trying to setup management interfaces(another post) and discovered that we only have two available Ips between the core and sonicwall.

Category: High End Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1 it's me again 😀, maybe some real pro can chime in as well.

    First things first, I don't have any clue why your Core Router creates a /30 route, IMHO it shouldn't if your address/neetmask is configured properly.

    Side Note: Whenever I have to deal with internal Routing through Core Routers I tend to create an isolated transfer network, which is not part of the routed address block. Projected to your scenario having e.g. 192.168.0.0/24 between SNWL and Core Router and a single Route 10.44.0.0/16 to the 192.168.0.x Core Routers address.

    --Michael@BWC

  • djhurt1djhurt1 Newbie ✭
    edited May 13

    @BWC


    An isolated transfer network between the two is what I think my predecessor was trying to do but in a weird way that just adds confusion. What's confusing to me is that on the SW there is the default route for 10.44.00/29 and then a custom route for the same network that is /16. /29 network is higher priority. So how would Sonicwall handle two routes for the same network? Simply use the higher priority and ignore the other?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @djhurt1 to see the whole picture list "All Types" in the Routing Table on the Firewall to have it sorted by Priority. This is how the Routing will be processed.

    You can change how the Routing is done by Network -> Routing Settings ->  Prioritize routes by metric within route classes, but per default it's done like this.

    http://help.sonicwall.com/help/sw/eng/7020/25/9/0/content/Ch34_Network_Routing.038.05.html

    The general prioritization of policy routing (from high to low) is as follows:
    1
    Destination, Source, Service, TOS
    2
    Destination, Source, Service
    3
    Destination, Source, TOS
    4
    Destination, Source
    5
    Destination, Service, TOS
    6
    Destination, Service
    7
    Destination, TOS
    8
    Destination
    9
    Source, Service, TOS
    10
    Source, Service
    11
    Source, TOS
    12
    Source
    13
    Service, TOS
    14
    Service
    15
    TOS
    

    The best matching policy has a better priority, I learned it the hard way by routing all from LAN Subnet to 10.0.0.0/8 via a VPN tunnel, this better matching policy killed the local LAN Subnet Route, because it has Any as Source and therefor my VPN Route was more precise.

    For each Network Interface exists a Subnet Route, which results in your /29 because this is what you defined for X0.

    Any to 10.44.0.0/29 via X0 in your case.

    --Michael@BWC

  • Aamir_DayarAamir_Dayar SonicWall Employee

    Hi @djhurt1 ,

    Thanks for reaching out SonicWALL !

    Since all layer 3 and above devices will have per port collision and broadcast domain (IP network).


    I believe this subnetting is done on the core router to assign multiple devices in one network or this subnetting (VLSM) method is also used to avoid wastage of IP address in the network deployment. Since there are only 2 valid IP's needed between core router and sonicwall.


    So how would Sonicwall handle two routes for the same network? Simply use the higher priority and ignore the other?

    For this the priority of the route will matter as per my experience and priority will be decided using Prioritizing Routes by Metric within Route Classes (sonicwall.com) as mentioned by @BWC


    Thanks

    Aamir Dayar

  • djhurt1djhurt1 Newbie ✭
    edited May 13

    @Aamir_Dayar


    Avoiding wasting of Ip address is one thing I did consider. I guess I just fail to see in the grand scheme how this person thought they were saving Ip addresses as theoretically, everything will route "up" to the core then firewall. That idea is difficult for me to wrap my head around.

  • TKWITSTKWITS Cybersecurity Overlord ✭✭✭

    I will jump in and just say, don't sweat trying to figure out WHY someone did something. Understanding HOW it works is more important.

    If you want to put in some thought, determine what would be the BEST AND MOST LOGICAL way to do what is trying to be accomplished. Then maybe you can make it project and actually implement it.

  • AjishlalAjishlal Cybersecurity Overlord ✭✭✭

    Hi @djhurt1

    I do have also similar network & configuration as same as below;

    In L3 switch " Default Routing to the Firewall X0 IP" For example: "ip route 0.0.0.0 0.0.0.0 10.10.55.1"

    All VLAN's are created in Core switch & not created any VLAN interface in Sonicwall.

    Sonicwall X0 interface (LAN) configured with 10.10.55.1/24

    SonicWALL Configuration:

    1) Create address object for the VLAN's & Create address object group for the created VLAN address object and added in the Group.

    2) Created address object for "VLAN Gateway":

    3) Created Static Routing in SonicWALL:


    Network Diagram: In this scenario all Internal traffic handled by the core switch and Sonicwall will do the Internet Traffic for the all VLAN'S.

    For above scenario I used Firewall X0 to Core_Switch, 10G interface for the up-link.

    Let me know if this would help you to resolve your issue.

Sign In or Register to comment.