Sonicwall Address Object Zone Assignment Discovery

Configuring Interfaces

Topics:

Configuring a Static Interface

For general information on interfaces, see Network > Interfaces.

Static means that you assign a fixed IP address to the interface.

1

Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface dialog is displayed.

3

Select Static from the IP Assignment menu.

To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.

Configuring Advanced Settings for a Static Interface

To configure advanced settings for a static interface, follow these steps.

1

In the Edit Interface dialog box, click the Advanced tab.

2

For Link Speed, if Auto Negotiate is selected by default, you can change it to a specific link speed and duplex. For those that do, leaving it as Auto Negotiate causes the connected devices to automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:

3

You can choose to override the UseDefault MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC address in the field.

4

Select the Shutdown Port checkbox to temporarily take this interface offline for maintenance or other reasons. If connected, the link will go down. Clear the checkbox to activate the interface and allow the link to come back up.

6

Select the Enable Multicast Support checkbox to allow multicast reception on this interface.

7

Select the Enable 802.1p tagging checkbox to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules page. For information on QoS and bandwidth management, see Firewall Settings > QoS Mapping.

11

Interface MTU - Specifies the largest packet size that the interface can forward without fragmenting the packet. Enter the size of the packets that the port will receive and transmit:

 

Configuring Routed Mode

Routed Mode provides an alternative for NAT for routing traffic between separate public IP address ranges. Consider the following topology where the firewall is routing traffic across two public IP address ranges:

Figure 7. Routed mode configuration

By enabling Routed Mode on the interface for the 172.16.6.0 network, NAT translations will be automatically disabled for the interface, and all inbound and outbound traffic will be routed to the WAN interface configured for the 10.50.26.0 network.

To configure Routed Mode, perform the following steps:

2

Click on the Configure icon for the appropriate interface. The Edit Interface window displays.

4

Under the Expert Mode Settings heading, select the Use Routed Mode - Add NAT Policy to prevent outbound\inbound translation checkbox to enable Routed Mode for the interface.

5

In the NAT Policy outbound/inbound interface drop-down lis, select the WAN interface that is to be used to route traffic for the interface.

The firewall then creates “no-NAT” policies for both the configured interface and the selected WAN interface. These policies override any more general M21 NAT policies that may be configured for the interfaces.

Enabling Bandwidth Management

Bandwidth Management (BWM) allows you to guarantee minimum bandwidth and prioritize traffic. BWM is enabled in the Firewall Settings > BWM page. By controlling the amount of bandwidth to an application or user, you can prevent a small number of applications or users from consuming all available bandwidth. Balancing the bandwidth allocated to different network traffic and then assigning priorities to traffic improves network performance.

Three types of bandwidth management can be enabled on the Firewall > BWM page:

Advanced—Enables you to configure maximum egress and ingress bandwidth limitations per interface, by configuring bandwidth objects, access rules, and application policies.

Global—Allows you to enable BWM settings globally and apply them to any interfaces. Global BWM is the default BWM setting.

For information on configuring bandwidth management, see Firewall Settings > BWM.

SonicOS can apply bandwidth management to both egress (outbound) and ingress (inbound) traffic on any interfaces. Outbound bandwidth management is done using Class Based Queuing. Inbound Bandwidth Management is done by implementing an ACK delay algorithm that uses TCP’s intrinsic behavior to control the traffic.

Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service (QoS) for the firewall. Every packet destined to the interface is queued in the corresponding priority queue. The scheduler then dequeues the packets and transmits them on the link depending on the guaranteed bandwidth for the flow and the available link bandwidth.

Enabling BWM

To enable or disable ingress and egress BWM:

1

Click on the Add Interface button or the Edit icon of an interface. The Add/Edit Interface dialog displays.

Configuring Interfaces in Transparent IP Mode (Splice L3 Subnet)

Transparent IP Mode enables the Dell SonicWALL Security Appliance to bridge the WAN subnet onto an internal interface.

To configure an interface for transparent mode, complete the following steps:

1

Click on the Configure icon in the Configure column for Unassigned Interface you want to configure. The Edit Interface dialog box is displayed.

3

Select Transparent IP Mode(Splice L3 Subnet) from the IP Assignment menu.

4

From the Transparent Range menu, select an address object that contains the range of IP addresses you want to have access through this interface. The address range must be within an internal zone, such as LAN, DMZ, or another trusted zone matching the zone used for the internal transparent interface. If you do not have an address object configured that meets your needs:

a

In the Transparent Range menu, select Create New Address Object.

b

In the Add Address Object window, enter a name for the address range. For Zone Assignment, select an internal zone, such as LAN, DMZ, or another trusted zone. The range must not include the LAN interface (X0) IP address.

Host if you want only one network device to connect to this interface.

Range to specify a range of IP addresses by entering beginning and ending value of the range.

Network to specify a subnet by entering the beginning value and the subnet mask. The subnet must be within the WAN address range and cannot include the WAN interface IP address.

e

Click OK to create the address object and return to the Edit Interface dialog box.

See Network > Address Objects for more information.

To allow access to the WAN interface for management from another zone on the same appliance, access rules must be created. See Allowing WAN Primary IP Access from the LAN Zone for more information.

Configuring Advanced Settings for a Transparent IP Mode Interface

1

In the Edit Interface dialog box, click the Advanced tab.

2

For Link Speed, if Auto Negotiate is selected by default, you can change it to a specific link speed and duplex. For those that do, leaving it as Auto Negotiate causes the connected devices to automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu:

3

You can choose to override the UseDefault MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC address in the field.

4

Select the Shutdown Port checkbox to temporarily take this interface offline for maintenance or other reasons. If connected, the link will go down. Clear the checkbox to activate the interface and allow the link to come back up.

6

Select the Enable Multicast Support checkbox to allow multicast reception on this interface.

7

Select the Enable 802.1p tagging checkbox to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames. QoS management is controlled by access rules on the Firewall > Access Rules page. For information on QoS and bandwidth management, see Firewall Settings > QoS Mapping.

9

Select the Enable Gratuitous ARP Forwarding Towards WAN checkbox to forward gratuitous ARP packets received on this interface towards the WAN, using the hardware MAC address of the WAN interface as the source MAC address.

10

Select the Enable Automatic Gratuitous ARP Generation Towards WAN

Site-to-site VPN connections are very easy to create between Sonicwall devices, almost ridiculously easy.  Here’s how to do it.

Sonicwall let’s you set up site-to-site VPN’s in a number of ways.  I find the easiest and fastest way is to use the procedure that Sonicwall recommends when one of the VPN gateway Sonicwalls receives its WAN address via DHCP even if both of your gateway devices have static addresses.  The reason I do this is the process pretty much never fails, is easy to troubleshoot and can be completed in minutes.

To use this process you have to decide on one Sonicwall as the “master” as it will always “listen” for VPN connections; the other Sonicwall will be the initiator.  If you are going to have multiple remote sites coming back to a main site then it only makes sense to make the main site the master.  If you only have two units involved then pick one as the master.

On the master unit perform the following steps:

Go to VPN –> Settings.  On that screen make sure Enable VPN is ticked and then change the “Unique Firewall Identifier” to be something that is easily identifiable like “MASTER” or “VICTORIA FIREWALL” or whatever and click the Accept button.  This will be the NAME you use in following steps.  Now, click the ADD button under VPN Policies, the following will appear:

Fill in your entries as follows:

  • Leave Policy type as is
  • Leave Authentication method as is
  • For Name fill in the name that you will be giving the OTHER Sonicwall (the one at the other end of the VPN tunnel)
  • Enter 0.0.0.0 for both the Primary and Secondary gateways.  The reason for this is that you are setting up this unit to “listen” for the VPN connection and the remote end will pass this information through upon making the connection.
  • Enter your desired “shared secret” for the encryption key.  Make note of what you enter as you will need to enter the same key on the other Sonciwall.  Longer, more random secrets are better than short, easily “guessed’ secrets.
  • For the Local IKE ID select Firewall Identifier from the dropdown box then enter THIS Sonicwall’s name.
  • For the Peer ID select Firewall Identifier from the dropdown box then enter THE OTHER Sonicwall’s name.

Click on the Network tab:

On the Local Networks select LAN Subnets from the dropdown list.

On the Remote Networks select Create New Address Object and fill in the info for the LAN at the other end of the VPN similar to the following:

You should then have something like the following:

Click on the Proposals tab and set like the following:

Click on the Advanced tab and set like the following:

Click the OK button to save the settings.

The new policy will be displayed on the VPN Policies page.  Now, switch yourself over to the other Sonicwall and repeat the same steps with the following differences:

Enter the WAN IP address OR the FQDN of the master Sonicwall as the Primary gateway.  Remember, the Sonicwall you are configuring is the initiator of the VPN connection so it has to know what it needs to connect to.

On the Network tab you do the same thing as you did the first time around only this time the Remote Network will be the LAN behind the master Sonicwall.

The Proposals should match the other side:

On the Advanced tab the only change is to ensure the Enable Keep Alive is ticked.

Click the OK button to save the policy.

Assuming you’ve made no typo’s and all is well with your WAN connections, the VPN tunnel should come up on both Sonicwalls.  The tunnel is up when both Sonicwalls display the green ball icon on the VPN policy.  You will also see tunnel information appear under the Currently Active VPN Tunnels when a tunnel is established:

Once your VPN policies are created you can make modifications that expand what traffic is allowed to flow over the tunnel.  In this case we just allowed traffic on each primary LAN behind each Sonicwall to reach the primary LAN behind the other Sonicwall.  We set this up on the Networks portion of each policy and bound the policies to the LAN subnets at each end.  If you want to expand to allow access to more subnets behind a Sonicwall then all you have to do is create an Address Object  on each firewall that includes the subnets you want to access and reference that object instead of the one used when first setting up the tunnel.  Just remember that whatever you reference as the LOCAL networks on one side of the tunnel has to also be referenced as the REMOTE networks on the other side of the tunnel.  An example of how multiple networks display under a VPN policy follows:

As you can see, this tunnel knows about 3 separate networks at the other end.

I use this procedure all the time and have many, many site-to-site VPN’s in the field configured in this manner.  Of course, as I mentioned up front, there are many other methods available to configure the tunnels, including the new IKE v2 process available with the latest SonicOS firmware, and each method has its advantages and disadvantages.  Use the method that best suits your needs but for rapid configuration you can’t beat this!

Related

One thought on “Sonicwall Address Object Zone Assignment Discovery

Leave a Reply

Your email address will not be published. Required fields are marked *