Advertenties

Sonicwall – VLAN configuration

We have been using a sonicwall for several years now and let me tell you, i love it. When we were buying new hardware years back i was pushing for a Cisco firewall because these are very ‘common’, accepted and i know how to handle one of those but my collegue decided to go for the Sonicwall NSA model.

My god, i hated him. Now 2+ years later we actually started to use all functions that the Sonicwall has to offer and let me tell you, it saved my ass once or twice. Damn what a powerfull machine. It’s the perfect balance of the easy-to-use webinterface (for my collegue) and a simple CLI. It has the ability to stop attacks, can work with complex network infrastructures, supports BGP (limited) as well as VLAN and has a very good packet capture method.

So, i’m in love.

Now then; how about actually using this peace of hardware in stead of just letting it sit there with 6 interfaces (one of them HA) and not doing anything. We decided to use VLAN’s in order to guide all of our traffic over this Sonicwall Appliance and it worked like a charme. Did take some time to figure out the routing tables that need to be set in place manually but once that was covered we were good to go.

The setup
Lets assume that we will only need to use a basic WAN/LAN setup here. So we will configure 2 interfaces on the Sonicwall to act as LAN and WAN and set these as ‘untagged’ on our switches since they do not need a VLAN-ID yet. In my case i configured the x0 interface as LAN with a 10.10.10.0/24 subnet and the x1 subnet as WAN with a public facing IP. Once thats done you should be able to go online from LAN and ping the WAN from anywere. Easy.

Setting up VLAN interfaces
When going to the interfaces menu in the NSA you will see the button ‘add interface’. Did you ever wonder what this was for? Well now, thats to add a new virtual interface on top of the one you just created. So go ahead and click on it, adding a new interface for your new network or client.

It will ask you some questions like on what interface you want to add the new card, what is the parent? In our case we always add both a external and internal network card (with 2 VLAN id’s) representing the outside (wan) and inside (lan) for a client. This won’t need any explenation, just add a new network card with a static range (/24?) and set it up on the card LAN/WAN. On the ports on the switch now add these VLAN id’s and set them as ‘tagged’.

But, i have no internet?
No, you dont. With the NSA you have to manually add a route that says that all traffic coming from X0:VLANID going to 0.0.0.0 (whereever, internet) has to go out through the right interface (x1:vlanId). Go go Network -> Routing. Now add a new rule saying everything FROM X0::vlanID subnet going to 0.0.0.0 has to use the gateway x1:vlanid default gateway.

Do not forget to add zones to each of the new interfaces. You can choose to share zones (like all X1 zones use WAN and all X0 zones use LAN) but i always like to setup a WAN/LAN zone for each client, as you prefer. After that change the firewall rules or you will not be able to internet or accept incoming traffic.

Bottom line; The Sonicwall NSA has so much functionality, it’s so easy (both CLI as well as web interface) and it can stop attacks with no hassle, buy it.

Important – Security

As my web-GUI loving collegue just corrected me; default the Sonicwall enables a Firewall rule that will allow all traffic between VLAN’s (clients). Make sure you set this to DENY in order to make sure client’s cannot see eachothers servers /networks.

Advertenties
  1. I am trying to do a setup like the one described, but I have been unsuccessful:

    Got a Fiber OMT which use a tagged VLAN (6) mandatory to connect to to internet with PPPoE

    Is not possible to connect the X1 interface directly to it, since cannot set a VLAN tag.

    So I created a Virtual LAN number 6, with a parent X1 been a WAN type, using the credentials for PPPoE provided.
    The vlan connects to internet and get IP correctly.
    But the devices connected to X0 (LAN) connected with DHCP cannot connect to internet.

    Seems a routing problem; but sonicwall creates automatically routing entries that cannot be edited.

    Any help would be great!! Thanks.

    G.

    Beantwoorden

  2. It looks like your default route is pointing to the X1 interface and not X1.6 (vlan interface). You can check this in Network -> Routing.

    Now add a new rule saying everything FROM X0 (LAN) subnet going to 0.0.0.0 has to use the gateway X1:6 default gateway.

    If you have another rule with 0.0.0.0/8 then delete it.

    Hope that helps

    Beantwoorden

    1. Thank you very much. It helped a lot.

      The final solution that worked for me is to clear up the Failover and unassing the X1 and adding the X1:V6. Then it works automatic.

      Note that takes a bit to see the changes working.

      Beantwoorden

  3. I’m trying to set up the same as Guillem: my internet provider is XS4all and XS4all needs a tagged VLAN (6) mandatory to connect to to internet with PPPoE. At this time, I have X1 connected to a switch, and the switch connected to the fiber modem. Switch ports have VLAN ID 6 as native, and it connects.

    I’d rather not have the switch in between the Sonicwall and the fibermodem, but I don’t understand the setup:

    – PPPoE is only possible on X1, so i think I need X1 to set up the PPPoE connection

    – How should I configure VLAN 6? I can’t create a VLAN with parent X1, because “Invalid IP Address – Choose an address within the subnet “. I choose ‘static ip’ and put in: 192.168.1.0 / 255.255.255.0

    Kind regards,
    Marco Visser

    Beantwoorden

    1. Sorry – my mistake. 192.168.1.0 should offcourse be: 192.168.1.1 …

      Beantwoorden

      1. But still can’t get it to work.

        I’ve got X1, PPPoE to my internetprovider.

        I’ve got a VLAN ‘LAN 6’, zone ‘LAN 6’ X1:V6, ip-address 192.168.1.1 / 255.255.255.0

        I’ve got the uplink to the fibermodem in X1, but the PPPoE does not connect.

    2. Why do you need a switch between your fiber and the sonicwall?. Connection can be done direct. Create a VLAN inteface tag 6, type PPPoE and that’s it.

      Beantwoorden

Geef een reactie

%d bloggers liken dit: