We have been using a sonicwall for several years now and let me tell you, i love it. When we were buying new hardware years back i was pushing for a Cisco firewall because these are very ‘common’, accepted and i know how to handle one of those but my collegue decided to go for the Sonicwall NSA model.
My god, i hated him. Now 2+ years later we actually started to use all functions that the Sonicwall has to offer and let me tell you, it saved my ass once or twice. Damn what a powerfull machine. It’s the perfect balance of the easy-to-use webinterface (for my collegue) and a simple CLI. It has the ability to stop attacks, can work with complex network infrastructures, supports BGP (limited) as well as VLAN and has a very good packet capture method.
So, i’m in love.
Now then; how about actually using this peace of hardware in stead of just letting it sit there with 6 interfaces (one of them HA) and not doing anything. We decided to use VLAN’s in order to guide all of our traffic over this Sonicwall Appliance and it worked like a charme. Did take some time to figure out the routing tables that need to be set in place manually but once that was covered we were good to go.
Lets assume that we will only need to use a basic WAN/LAN setup here. So we will configure 2 interfaces on the Sonicwall to act as LAN and WAN and set these as ‘untagged’ on our switches since they do not need a VLAN-ID yet. In my case i configured the x0 interface as LAN with a 10.10.10.0/24 subnet and the x1 subnet as WAN with a public facing IP. Once thats done you should be able to go online from LAN and ping the WAN from anywere. Easy.
Setting up VLAN interfaces
When going to the interfaces menu in the NSA you will see the button ‘add interface’. Did you ever wonder what this was for? Well now, thats to add a new virtual interface on top of the one you just created. So go ahead and click on it, adding a new interface for your new network or client.
It will ask you some questions like on what interface you want to add the new card, what is the parent? In our case we always add both a external and internal network card (with 2 VLAN id’s) representing the outside (wan) and inside (lan) for a client. This won’t need any explenation, just add a new network card with a static range (/24?) and set it up on the card LAN/WAN. On the ports on the switch now add these VLAN id’s and set them as ‘tagged’.
But, i have no internet?
No, you dont. With the NSA you have to manually add a route that says that all traffic coming from X0:VLANID going to 0.0.0.0 (whereever, internet) has to go out through the right interface (x1:vlanId). Go go Network -> Routing. Now add a new rule saying everything FROM X0::vlanID subnet going to 0.0.0.0 has to use the gateway x1:vlanid default gateway.
Do not forget to add zones to each of the new interfaces. You can choose to share zones (like all X1 zones use WAN and all X0 zones use LAN) but i always like to setup a WAN/LAN zone for each client, as you prefer. After that change the firewall rules or you will not be able to internet or accept incoming traffic.
Bottom line; The Sonicwall NSA has so much functionality, it’s so easy (both CLI as well as web interface) and it can stop attacks with no hassle, buy it.
Important – Security
As my web-GUI loving collegue just corrected me; default the Sonicwall enables a Firewall rule that will allow all traffic between VLAN’s (clients). Make sure you set this to DENY in order to make sure client’s cannot see eachothers servers /networks.