0

I'm nervous leaving the device like this because it makes no sense to me WHY it's working like this.

We put in the new Sonicwall to replace an older Cisco ASA.

Just did the basic setup, using same IP's from the ASA: (making up IP's here but using same subnets)

X0 LAN: 172.16.5.2/30

X1 WAN: 216.40.5.100/30

Then I add route for one of their internal subnets...

10.1.0.0/16 to gateway 172.16.5.1 on X0 LAN port (172.16.5.1 is MPLS provider router, which has route going to 10.1.0.0 network)

So, I set this up. Doesn't work. 10.1.0.0 network can't ping the Sonicwall and can't get onto the internet, Sonicwall can't ping 10.1.0.0 network.

NOW, just to test something, I turned on the X2 port on the Sonicwall, and put it into Layer 2 Bridge mode, and bound it to the X0 LAN port. I don't connect anything to X2, just enabled the bridge - X0 LAN and X1 WAN are still the only ports being used. Magically, everything starts working. I added in additional routes for more internal networks, setup necessary firewall/nat rules, everything works 100%.

If I turn off port X2 and remove the bridge, everything goes down.

I'm completely stumped as to why adding this bridge, which is seemingly useless, would make things work here. Mind you, there was no bridging setup on the Cisco. I've setup many a Sonicwall and never had a similar situation.

Here's a screenshot of the interfaces.

grdlock
  • 11
  • 1
  • 4
  • It should works. Can you post screenshots of route and addresses pages? Moreover, you can enable detailed logs doing the following in the log page: a) set log verbosity to debug, b) enable all log typed, c) use a 0 seconds log suppression value. After that, you should be able to track dropped packets via the log view page. Then exports your logs and attach them here. – shodanshok Mar 07 '15 at 17:20
  • You may have used the interfaces from the ASA firewall however where is gone the routing??? Static routes in these case is not the best practice, you must use dynamic routing instead, possibly OSPF. – user275013 Mar 07 '15 at 16:43
  • In small networks, static routes are perfectly fine. – shodanshok Mar 07 '15 at 17:09

2 Answers2

0

You don't mention how your Firewall is setup. Typically X0 is LAN and X1 is WAN. So by default, traffic from X1 to X0 is blocked. But I don't think that is the problem.

The 10.1.0.0/16 doesn't have a routable interface to 172.16.5.1 on the sonicwall. the subnet masks prevent it. even if you add a static route, you still need a routing interface on the 10.1.x.x subnet to be able to route out. otherwise, the SW will probably forward the packets to the X1 interface instead.

as far as the bridging goes, I have no idea why that works either. It looks like it might be exploiting a bug in the bridging?

I think I might be way off course with this answer. I'll delete it if I am..

MikeAWood
  • 2,566
  • 1
  • 12
  • 13
-1

According to SonicWALL documentation on the Layer 2 bridging:

Layer 2 Bridge Bypass is a physical X0-X1 interface bypass relay currently implemented on the SonicWALL NSA E7500. This feature is sometimes known as “fail to wire”, meaning that the LAN-WAN connection reverts to a straight-through connection if the SonicWALL appliance experiences a hardware or software failure. When the bypass relay is closed, network traffic flows unimpeded between the X0 and X1 interfaces. When the bypass relay is open, network traffic is handled by SonicOS Enhanced running on the SonicWALL appliance.

So it appears that by bridging the interface and including a failed interface (X2 not connected to anything), it is working because it is bypassing SonicOS Enhanced OS controls and going straight through the wire.

That being said, it seems that this could be viewed as an elaborate troubleshooting step to see that something in the config is blocking the connections under the regular setup. Check the firewall rules?

armani
  • 420
  • 9
  • 26