3

We're adding two SonicWALL NSA 2600 firewalls to our current setup. We currently get two WAN connections from two separate Cisco routers running on the same external subnet with what I believe is HSRP. Right now we run these two connections into two Cisco switches, and all of our computers then plug into both switches with NIC teaming.

In the new setup, we'd like to create a 3-port VLAN on each switch, one port for the WAN connection from the Internet and two ports for each NSA 2600. I've got the WAN port setup from one switch to each SonicWALL in HA mode. If I add the second switch connections to X2, I can't figure out how get the bridged in the Network section. If I choose the WAN zone, I just get Static, Wire Mode, and Tap Mode. Static doesn't make much sense, since I'd need to pick a new IP address. Wire Mode will only let me choose unused interfaces (X4 and X5), and Tap Mode looks totally useless.

Does anyone have any tips on how to make this work or where to learn more about getting something like this working?

In case a diagram might help someone understand what I'm trying to do:

Network Setup Diagram

Here is what it looked like pre-firewall:

Old Network Setup Diagram

Here are pictures of what I'm seeing on my LAN side:

LAN bridge

Nothing like that seems to exist on the WAN side:

enter image description here

Jake Braun
  • 131
  • 1
  • 6

2 Answers2

1

Based on the information I've found and in testing configurations on an NSA 2600 in order to utilize multiple WAN connections on the same subnet, an intermediary device such as a load balancer would be needed. The load balancer would present a single link to each Sonicwall such that a single interface could be configured and the load balancer would handle the failover if one of the Cisco Routers went down. The setup would look similar to the following diagram:

The other, much more complex option would be to test creating a custom Zone on the Sonicwall and modifying the routes to use that zone as a WAN. The downside besides the obvious time commitment to configuring the routes is that this option would not allow for Failover & LB to utilize this zone. I would recommend looking into a load balancing device or similar intermediary between the Ciscos and the Sonicwalls.

Mike Naylor
  • 927
  • 1
  • 7
  • 15
  • This is good information, but I actually have the HA setup already. My problem is that I have two WAN switches and routers, and thus need two WAN interfaces. In the picture they show they just have one incoming connection: http://help.mysonicwall.com/sw/eng/6005/ui2/25000/images/High_Availability.56.1.3.jpg – Jake Braun Mar 24 '14 at 15:07
  • Not sure I follow. The NSA 2600 has 8 interfaces, by default the x0 is the LAN and the others are configurable to whatever Zones you wish. On each firewall you can setup two WAN interfaces, one for each WAN connection, then in the Load Balancing/Failover config set which one is the default by putting it in the highest priority. – Mike Naylor Mar 24 '14 at 15:10
  • Both WAN connections are on the same subnet from Cisco routers using HSRP. The Sonicwall, as far as I can tell, will not allow a) two interfaces two be on the same subnet or b) two WAN zone interfaces to be bridged in a manner that works. On that LAN side I can pick "Layer 2 Bridged Mode" on the WAN side that is not an option for whatever reason. I added pictures to the original question of what I see in the interface setup for my 2nd WAN connection. Nothing like what works on the LAN side exists. – Jake Braun Mar 24 '14 at 15:13
  • 1
    Ah, I see. Sorry if I missed that earlier. HSRP is Cisco proprietary so Sonicwall won't be able to utilize that, which means the Cisco's can talk to one another correct? If so that means the diagram should have the Ciscos on the same switch or a connection between them. That's why I was confused. I see what you are saying and right off the cuff, the only suggestion I have is possibly creating a new Zone to use instead of using the WAN. The only downfall is that I don't think Failover&LB will work on that zone but it would allow Layer 2 Bridged mode on the interfaces. Lemme look into it – Mike Naylor Mar 24 '14 at 15:19
  • The other downfall is the custom routing to make the Sonicwall use the custom zone as an outbound interface. I'll look into it further and let you know what I can come up with. – Mike Naylor Mar 24 '14 at 15:21
  • Thanks, I appreciate all the info. The Cisco stuff was all handled by someone else. It works great, but I don't know too much about the details. They could very easily also be connected each other as you said. – Jake Braun Mar 24 '14 at 15:29
  • 1
    Most of the solutions/documentation I'm seeing are single links to each Sonicwall. It may be necessary to have a load balancer in front of the Sonicwalls that presents the connection through a single interface. The custom zone may still work but it'd take a lot of extra configuration. I'll keep looking and see what I find or can come up with. – Mike Naylor Mar 24 '14 at 15:31
  • That's what I was seeing as well. Every dual WAN example I found was for totally separate connections. I guess what I'm doing is less common that I thought. – Jake Braun Mar 24 '14 at 15:39
  • 1
    Just updated the answer, I know it's not ideal to introduce another single point of failure on a network designed to resist failures but so far that is the only viable option I've found. If I run across any new discoveries I'll update this. Sorry it isn't a more elegant solution. – Mike Naylor Mar 24 '14 at 15:54
  • That makes sense. For us, I think we'd be better off just having single connections between the switches and the firewalls. I (think) in that scenario we'd only have a total failure in the event of our switch failing and something upstream on the same side failing at the same time. Unless we went dual load balancer, but I'm guessing we'll have the same problem at that level that we have at the firewall level. – Jake Braun Mar 24 '14 at 16:02
  • If you go dual load balancer you'd run into the same subnet issue with the WANs. Kind of a sticky situation any way you slice it. Without being able to bridge interfaces on the Sonicwall it gets more difficult. May be something to take to Sonicwall support and see if you can get a change request entered. – Mike Naylor Mar 24 '14 at 17:51
0

In the current Firmwares you could select the x1 interface -> goto advanced and pick X2 as a redundant port for X1. that might be what you need?

Jos Sijtsema
  • 1