Creating secondary gateway/WAN for redundance
djhurt1
Enthusiast ✭✭
Our upstream provider has two gateways for redundancy. They have seperate Ips. Our sonicwalls are setup for HA. I'd like to have both the provider routers attached to each sonicwall for redundancy/failover. From reading, looks like Wan failover is what fits best for this scenario? Any other ways I should implement this?
Category: High End Firewalls
1
Answers
The WAN redundancy on Sonicwalls is pretty good.
You should investigate the different ways in which you can deploy it since you can not just fail over but load balance with ratio, spillover and so on.
We also setup routing policies so that backup traffic goes over the secondary WAN interface.
You should setup the probes as well.
Kindly, S.
Hi @djhurt1
as @Halon5 mentioned FLB (Failover & Load-Balancing) is pretty good, in your case a Switch with two seperate VLANs (WAN1 & WAN2) attached to your SonicWall Appliances (e.g. X1 (WAN1) & X2 (WAN2)) should do the trick. If your routers have a built-in switch you're good as well. But you need Network Probes to have this working properly, because the ethernet-link of the Interface is always up, which does not mean the connection is working.
On the other hand maybe SD-WAN is another option, but I would with FLB first.
--Michael@BWC
What you both are suggesting sounds like it could fit with my scenario. It looks as if I'd have to setup two WAN ports. I have one Ip address assigned to our current WAN port, and it is unique as it has our web mail serverbehind it, VPNs and various other permanent links. Is it possible to setup what you're proposing with a common Ip address?
Hi @djhurt1
your gateways have seperate IPs so you should be good. Having X1 and X2 as WAN Interfaces, just make sure that both primary and backup applianc is connected to correct switch. The public IP is bound to the HA-address (active appliance), not to the individual firewall appliance. Except you wan't to monitor both appliances via WAN, that that would need additional addresses.
From my experience you should make sure that your VPN policies are then bound to Interface X1 instead of Zone WAN, depending on your environment of course.
--Michael@BWC
Michael,
Can you tell why you suggest VPN policies should be bound to X1? Our X1 interface is currently not assigned. I'm inexperienced with Sonicwall obviously.
Hi @djhurt1
X1 not assigned? That's not common, but my recommendation works for other WAN interfaces as well, you always should bind the VPN to the specific Interface, whatever it is X2, X3, etc.
This makes sure that outbound (initiating) VPN connections are assigned to the correct WAN link, which IP is usually checked on the remote site. Or you wanna assign a specific WAN port for VPN only.
Check this out, it explains it probably better than I'am able to:
Hope this helps a bit.
--Michael@BWC, (your friendly Overlord)
Michael,
The information you've provided has been very helpful! I'm looking at these things now and it appears all of our VPNs are bound to WAN. Per the info. you provided, I'll have to change that. However I do have one quick question on the subject. I'm a noob with SonicOS so bare with me.
Looking under Manage-->VPN-->BaseSettings I see two policies:
WAN GroupVPN and WLAN GroupVPN.
These "appear" to be default policies and cannot be deleted on our device. One appears to be for our global VPN client users and the other is not enabled. It's odd to me that these are default and cannot be deleted. Can you elaborate on why they would be required to exist? I'm trying to get a good grasp of all the parts before I implement any changes.
@djhurt1 remember to add static arp per each IP you configured on WAN as well. this will help a lot if you configure any access rule coming from wan to any other zone configured on wan.
Cheers!
"There are no bugs...it's all about features..."
Hi @djhurt1
the GroupVPN policies are created by default and related to the Network -> Zones settings, you cannot uncheck the "Create GroupVPN" in Zone WAN and WLAN. If you don't need them, just disable them on the VPN settings page.
The Zone binding for these Policies isn't a big problem IMHO, because they are only used inbound and the SonicWall is acting as the responder. The VPN tunnels are initiated by the clients remotely.
About what @Luca_Fish_Pesce wrote I'am not 100% d'accord, because I never configured static arp entries, this is usually automatically handled by the NAT rules, if you translate traffic for multiple addresses to internal resources. But ARP on the WAN interface can be some other beast to fight.
--Michael@BWC
Yes I also wish to comment that in most cases the ISP will route the blocks of IPs to the firewall WAN interface IP, and thus no static ARPs are needed. Some ISPs do act differently and have a dedicated GW IP address, used on the upstream router, for the second block of public IPs. In that scenario, static ARPs and a static route are needed. I will try to find a KB article on this for us.
This question doesn't deal directly with my original question however it does fit within the scope of the project.
Digging further into the Sonicwall. I'm seeing interface X0 and X2 assigned in the following address objects:
X0 IP10.44.255.1/255.255.255.255 Type:Host
X0 Subnet10.44.255.0/255.255.255.252 Type:Network
X2 IP10.44.255.5/255.255.255.255 Type:Host
X2 Subnet10.44.255.4/255.255.255.252 Tyep:Network
Neither of these address objects can be deleted. It seems odd to me that anyone would purposely assign such a small subnet so I'm doubtful that "we" set them this way. Are these default address assigned or for management purposes? Neither one of these ports are connected but there is 3 NAT policies that reference these ports.
Hi @djhurt1
the objects you mentioned are automatically created and reflect the interface settings for X0 and X2. Usually such small networks are created only if there is a nother router (core switch) and the subnets are only used as transfer networks. But this is just a guess.
--Michael@BWC
All of the information that's been given so far has been very helpful. I think I need to get more familiar with the SonicOS itself going forward. Oddly enough, I cannot find a general guide outside of very specific "how tos". Anyone have a link to a guide to get more insight into the SonicOS that covers the basics?
Hi @djhurt1 ,
Here is some documentation on SonicOS https://www.sonicwall.com/support/technical-documentation/?language=English
You can also filter by specific document type depending on what you are looking for.
Thank you for the link. I browsed those articles previously however I couldn't find much outside of very specific how tos for tasks that are geared towards someone already knowledgeable of SonicOS. I think I need more explanation for Objects, interfaces and generally how things flow through the device. Anything like that you're aware of?
Read everything about SonicOS 6.5 form a techdocs standpoint. We have some training on SonicWall University as well.
Hi @djhurt1 ,
For the detailed description of differnet topics I would prefer you to go with admin guide as it will include a lot of detailed information.
For admin guide for the gen 6 latest I have listed the KB below :
Thanks
Nevyaditha P
Nevyaditha P
Technical Support Advisor, Premier Services
Michael@BWC,
I'm wondering about this statement currently:
X1 not assigned? That's not common, but my recommendation works for other WAN interfaces as well, you always should bind the VPN to the specific Interface, whatever it is X2, X3, etc.
This makes sure that outbound (initiating) VPN connections are assigned to the correct WAN link, which IP is usually checked on the remote site. Or you wanna assign a specific WAN port for VPN only.
If I bind all VPNs to the current WAN, do I need(or can I) bind it to the secondary WAN? Just double checking the details.
Hi @djhurt1
you only need to bind the VPNs on the line you want, maybe for redundancy reasons you could use multiple VPN connections to each WAN interface. Or you could distribute the VPN connections over all WAN interfaces for performance reasons.
--Michael@BWC
Michael@BWC
This is confusing to me. My understanding is that I'll need two WAN interfaces on each appliance(upstream providers gateways each have unique Ips), won't my existing VPNs need to be bound to both in the event one of providers gateways goes down? Otherwise I'd need to manually change the binding in the event of a failure to get my VPNs back up. Perhaps I'm way off base though.
Hello DJHURT1:
When using two of our firewalls in HA, there is no requirement to have each one with unique public IP addresses on the WAN. You can configure the Network Interface on the active unit in the HA pair, and then the active unit will use that IP in production and fail over that interface to the standby unit gracefully. The VPNs will sync if you use Stateful HA. So if you have two WANs, you would have both WAN Failover and HA together. This is a very common deployment scenario.
For VPNs, Policy-Based S2S VPNs have "Zone WAN" as the binding by default, though you can specify a single WAN if you wish. This is a moot point unless peer VPN appliance doesn't specify *both IPSec GWs* which point to the two main site firewall WAN IPs (see attached image).
I hope this helps.
JOHN_LASERSOHN
From your reply it appears that I will in fact need to configure a 2nd WAN inteface then but I can leave VPN policies set to "Zone WAN"? Our gateways internally have unique Ips but virtual Ip on the external so that IP stays the same outside looking in.
Hello DJHurt - I don't think I can grasp your deployment based on text alone. I will message you with my email address at work so that you can send me a diagram, one fully labelled with every devices' IP / mask / GW, so that I can properly advise you.
After speaking with another gentleman via email, this will not work for me unfortunately since both our gateway Ips are on the same subnet. I'm checking now if we have access to the whole subnet, which I doubt, but then I could subnet the block but outside of that, I'm at a loss how to make this work. Any other suggestions?
You can look up ownership of IP blocks via whois sometimes (you must expand "Detailed WHOIS Response"): https://tools.dnsstuff.com/#whois|type=ipv4&&value=67.115.118.5
If you haven't configured the 2nd WAN yet, we might need to take a look at your deployment - will you be able to provide more details?
@fmadia
It looks like we have a whole /28 subnet we can use. I can subnet this to a /29. I guess the question now is if I subnet, which solution would be easier to implement. Your latest suggestion or the original suggestion from earlier in this thread?
Getting back to this project, we have two default entries for X4 interface. I'll be changing the subnet mask during this switch. I'll assume that once I make the change on the X4 interface in Network-->Interfaces, then the X4 IP and X4 Subnet default address object entries will change automatically?
Secondly, it's possible the answer to this one is right in front of me but it's been a long day and I'm tired. Why does the X4 IP entry show the mask as all 1s' and not the /28 mask specified on the interface itself?
@djhurt1 ,
Yes, once you make changes on Network | Interfaces for X4, it will automatically reflect on all default address objects and wherever those objects are used will also be updated.
X4 IP shows the subnet mask as 255.255.255.255 which is /32 as it is a host type address object. That is true for any host type address object that you create or are present by default.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Getting back to this we can subnet our Ip space so our two upstream providers gateways will be on seperate networks. We have HA Active/Standby currently. We're trying to get redundancy using the 2 gateways the upstream provider has given, each having a seperate Ip address, so 2 provider gateways on seperate networks in the event one of the providers gateways fail. I should configure a second WAN interface for secondary gateway. I will create a new vlan on our current switch for the link between sonicwalls and gateways. Does this generally appear correct to achieve what I'm hoping for on the soncwalls?