We have an issue at the current place that i work.
This issue is that we have 16 global offices all connected via site to site links to the Data center and main London based office.
We have no routing and no backup links should a link to a site go down.
It would be nice if we could get say South America to go to North America then to London if the links to London from South America went down.
Below is guide to get dynamic routing to run on SonicWalls via VPN Tunnels.
Poor mans MPLS network of sorts 🙂
Sonicwall routing over a VPN.
1) Setup the Lab
2) Create your VPN Tunnels
3) Create a bogus vlan interface for routing
4) Enable routing
5) Configure your Firewall
In this article we will discuss how to create a vpn tunnel and also how to enable dynamic routing over the tunnel using a sonicwall router.
Please take note that it is advised to have all sonic wall routers over firmware version 5.5 Enhanced.
The lab below consists over the equipment.
1xVMWare Esxi 5+ (I used an i7 with 8GB RAM, 500GB HDD and 2 physical nic’s)
1x Sonicwall TZ200
2x Sonicwall TZ215
1x Sonicwall NSA2400
1xCisco 2960 Switch
4x Centos min servers
Below are some pictures of what we will be creating.
I won’t be going to detail of every installation and configuration besides the sonic walls as that is outside the scope of this article.
Please use this post as a guide and NOT as a step by step how to.
Network:Step 1: Setup the lab.
Firstly you need to get a switch that can handle Vlans. In my case I have a Cisco 2960.
Next you need to map out the IP address ranges that you will be used.
This includes the LAN and WAN IP’s of each sonicwall and DHCP ranges.
Heres what I did:
The first ip of each range for lans was given to the Sonicwall LAN interface.
The first IP of each range for WANs was givento the Sonicwall WAN interface.
The Second IP for each range for WANs was given to the PFSense Interfaces.
The Second IP for ever LAN range was given to my configuration server.
Each Sonicwall will have a DHCP Range .10-.19 for its lan range.
Now you need to setup your Vlans on your Switch and assign ports to them.
DO THIS IN A LOGICAL WAY!! It can get really messy if you lose track of it!
I used port 1 for Area1 LAN and port 2 for Area1 WAN etc.
I used vlans 111,112,113,114 for LAN and vlans 101,102,103,104 for WAN.
Vlan 99 for all management tasks of the virtual infrastructure. Eg esxi server interface and pfsense web interface.
Then create a trunk port and plug it into your esxi server.
Hook up your sonicwalls now.
Make sure that you remember where each cable goes. I called each sonicwall an Area eg. Area1, Area2, Area3 and Area4.
Sonicwall Area1 x0 (LAN) interface goes into port gig 0/1 paired to vlan 111
Sonicwall Area1 x1 (WAN) interface goes into port gig 0/2 paired to vlan 101
Sonicwall Area2 x0 (LAN) interface goes into port gig 0/3 paired to vlan 112
Sonicwall Area2 x1 (WAN) interface goes into port gig 0/4 paired to vlan 102
And so on.
Note: Sonicwalls by default will check if there is a DHCP server on the network, if so it will disable its own.
Therefore you need to do the vlans first so they can’t see each other.
VMWare Install and Configuration:
You will then need to get your hands on a PC with about 4 gigs of ram and load it up with VMWare Esxi. This is a simple task so I’m not going to cover it. You need to configure 1 port to your Esxi Server for Management (I used vlan 99 for this). Then add a second port as a trunk or tagged port (Depending on the kind of switch you use).
You then need to configure 1 port to your Esxi Server for Management (I used vlan 99 for this).
Then add a second port as a trunk or tagged port (Depending on the kind of switch you use).
After you have loaded up VMware you will need to configure a new vswitch to have the 9 separate Vlans.
4 Vlans for area WAN links, 4 Vlans for area LAN links and 1 for management from outside.
See the below picture:
Make sure that this vswitch is asscosiated with the port that is configured as a trunk to your switch!
Next down load a copy of PFsense “http://www.pfsense.org” and do a basic install.
Read the screen and accept all defaults. Again this is really easy so I’m not going to cover it.
Make sure that you add 5 network cards to this machine.
Each network card needs to be assigned to the WAN vlans for the sonicwalls and 1 for the management vlans.
Make a note of with nic you assign to which network.
MAC ADDRESS – VLAN 101 – Area1SonicwallWAN
MAC ADDRESS – VLAN102 – Area2SonicwallWAN
MAC ADDRESS – VLAN 103 – Area1SonicwallWAN
MAC ADDRESS – VLAN104 – Area2SonicwallWAN
MAC ADDRESS – VLAN99 – Management
To make things a bit easier you may want to install the pfsense with only the management NIC added and then add the rest after the install has asked you to configure the management interface or WAN interface as its called technically.
Now we need to configre the PFSense box for routing and not packet filtering.
Open your web browser on your pc that is connected via the management vlan and go to the IP address that you configured for the pfsense box. (You would have to make static ip’s on your pc for this to work)
The Default username and password is “admin | pfsense”.
Now we need to assing the NIC’s to the right places.
Under “Interfaces” select “(assign)”.
Use the icon to add the interfaces.
Keep a note of which is which via the MAC addresses.
We will then need to assign them to logical names and WAN IP’s in the next part.
Now under “Interfaces” you will have all these interfaces select them 1 by 1 and configure them.
After selecting your interface check the “Enable Interface” box, this will open more options.
Change the name of the interface.
Under “Type” select “Static”.
By IP Address enter your IP address.
I used the first IP in the range for the sonicwall and the second for the PFSense box.
Eg. For Area3WAN I used 220.127.116.11 for the sonicwall and .34 for the PFSense box.
At the bottom select save and then apply the changes.
See below for an example.
Do this for all 4 WAN interfaces.
The pfsense box from now will be considered a simple router that will route for directly connected networks.
You could use a normal router and implement a router on a stick or use a layer 3 switch.
I didn’t have either to use so used this design.
We are now done with the PFSense box.
FYI: PFSense is a very versatile system and can be used for loads of network related tasks : squid proxy, vpn server, WAN load balancer, firewall and SMTP forward (that’s just a few).
Create and install 4 instances of what ever OS you want here. They will require 1 nic each on the LAN vlan for each sonicwall. I used Centos minimal server. You can leave the network cards on DCHP for this. These are used to test connectivity end to end as if there was a LAN.
Sonicwall Configuration server:
Create 1 server with 5 nics 4 nics on each LAN with static ip’s (assigned later) and 1 nic in the management interface.
I used Ubuntu 12.04 i686. I suggest that you install and config this machine with only the management network connected as we will be using this machine to configure the sonicwalls later.
Step 2: Setup your VPN Tunnels
Setup your Sonicwall:
By Default sonicwalls have a username and password of admin | password.
They also have a default IP of 192.168.168.168 with DHCP enabled on the LAN interface.
On your configuration server enable the network for Area1. It should now get and ip in the 192.168.168.x range. Open your web broswer and go to http://192.168.168.168 and login to the sonicwall.
Select “network” and then “DCHP Server”.
select the icon next to the default DHCP range.
Change this to the IP range for Area1’s LAN. (in my case it was 192.168.231.10-192.168.231.19)
Use the Lan IP of the sonicwall as the default gateway for the range after if would be changed. Eg. 192.168.231.1
Save the changes.
Now select “Interfaces” under” network”.
Configure the interfaces as needed. See the below pictures for my setup.
Create Bogus Interface for Routing:
We also need to create a bogus interface for Routing to work.
Under interfaces select “Add Interface” and configure is as the picture below. Change the IP for each sonicwall that you do.
THEY NEED TO BE ON THE SAME SUBNET!
Eg. Area1 = 10.0.1.1, Area2 = 10.0.1.2, Area3 = 10.0.1.3 etc…
Setup the other soniwalls as instructed using their respective IP’s
Lets create the VPN now.
Under “VPN” Select “Settings”. Click “add” to make a new VPN.
Under Policy Type select Tunnel Interface (This is important.)
The gateway needs to be remote WAN ip of the sonicwall your connecting to.
In this case its Area1 to Area3 see picture below.
Add in your Shared key and identification names. I like Firewall Identifier sometime called sonicwall identifier.
Under Advanced select “Allow Advanced Routing” (This is important.)
Under “VPNPolicy bound to” select the wan interface.
See below pictures:
Lets now complete this tunnel on Area 3’s sonicwall.
This time use the remote IP of Area 1’s sonicwall. Make sure the same shared key is used.
Once you click ok your VPN tunnel should be up in a few seconds.
A green dot will appear to show that the tunnel is active.
Create the rest of the tunnels.
Note that you cant pass traffic over the tunnels yet.
Create the following links
Area1 to Area 3 and 4
Area 2 to Area 3 and 4
Let do the routing now.
Select “Network” then “Routing”.
On Routing Mode select “Advanced Routing”
You should now see the VPN tunnel interfaces (Checking the Allow Advanced routing in the VPN policy enabled the tunnel to appear here.)
I chose to enable OSPF here as is a better routing protocal for my production environment that im labing this for.
Select the next to OSPF to configure it.
Enable the service and change the OSPF Router ID to something unique. I use 10.0.0.1 – 4 for each router.
Check “Redistribute Connected Networks”. This is what will actually get the routing to work.
Right at the bottom is some sonicwall vodo but here is how it needs to be.
The IP Address Borrowed From: needs to be the Bogus interface that we created.
The remote IP Address is the IP of the Bogus Interface on the remote side of the tunnel.
So if this is for tunnel 4 to 1 and we are on Area4’s sonicwall it would be 10.0.1.1. on Area1’s it would be 10.0.1.4.
A nice dot will appear in green when its working and red when its not.
See the picture for Area 4 to Area 1. I have marked the important parts.
Below is what my routing table looks like in complete for this lab.
You may need to do the firewall rules before you see routes being added. (I had created a full lab before i created this post)
To actually get traffic to flow you need to configure firewall rules to allow the traffic to flow.
These are unique to every network so i’m just doing going to show you what I created.
Something to note is that if you have traffic traveling from Area1 to Area2 it needs to cross over either 3 or 4. This is considered VPN to VPN firewall zoning.
These will take some playing with to figure out and make sense.
These come from Area4’s sonicwall.
At this point your lab should be fully connected and have routing enabled.
If you ping Area1 from its LAN server to Area 2 you will pass over on of the neighboring sonicwalls.
Read the routing tables to see which on.
If you unplug that Wan link or turn off the neighboring sonicwall that is being used the routing will change and a few seconds later your pings will start working again via a different route.
See below for logical diagram:
So Although a bit tricky to setup the sonicwalls can infact do reasonable routing over the VPN networks.
This will allow for greater redundancy than normal site to site VPN’s.
We’ll have to see how it works with the already configured site to site VPN links that we have. But that’s for another post.