Deploying Balances into system, having problems

I work for a cooperative who is trying to deploy Balances throughout our system to increase bandwidth. We have started with two Balances, one at our headquarters (a 580) and one at one of our larger locations (380). We started testing the 580 and on Tuesday at night I plugged in our main ISP to the 580 on WAN1 set for Drop-in and connected LAN bypass (LAN3) to our Sonicwall NSA 2400 that handles private networking and VPN connections from the headquarters to the other offices through private networking. Once plugged in I was unable to get to the internet anymore and we were luckily able to flush the routing table on the ISP’s switch and get internet back (after I had put the main ISP back into the WAN port on the Sonicwall straight.

My best guess is that the Peplink may have sent a rerouting command immediately and took out our main IP address routing (possibly routing through the .64 address talked about belowinstead). From the graphic of how to do drop-in available on Peplink we got another IP address for the 580 to have on the same subnet. I set that up as the management IP through the LAN menu with Share Drop-in IP enabled set to our main IP address. Could I have done something here that did this? The way it was setup would be:

Main ISP: .52 address (WAN1)
Secondary ISP (different company): .218 (WAN2)
Peplink 580: .64 address for management (same subnet as Main ISP), added .52 address as Shared Drop-in IP address

Sonicwall NSA 2400: .52 external address (WAN), .1 internal address (Private address LAN)

Here it is in line form:

.52 ------> 580 (WAN1/Drop-in) -------> Sonicwall NSA 2400 (LAN3/Bypass into WAN port on Sonicwall)
.218 -----> 580 (WAN2) ---------------> Same as above

Ideally I’d like to use a Private IP address (.2 in the same subnet as the Sonicwall resides) for management of the Peplink, but am totally fine if it needs to be on an ISP provided IP address. This is our testbed and then I would go to the second location (all locations have a Sonicwall) and setup the same thing with different ISPs in the mix.

Thanks much for any help you can give as to how I could effectively set this up without something sending a rerouting command to a switch down the ISP’s line and the headquarters where everything runs through has no internet connection. Forgot to note the 580 does have 6.2.2 installed on it and I plan on doing upgrading to the 380 once I undertake that process. Just a little gun shy on it at the moment

Hi,

Please provide info below:-

Balance 580 LAN and WAN1 (Drop-in enabled)

  • IP of ISP router
  • IP of Balance 580 = x.x.x.64 or Shared IP with x.x.x.52?
  • Sonicwall WAN IP = x.x.x.52?
  • Gateway of default route for Sonicwall

PM was sent. Think I may have erroneously thought we needed a shared IP (using the main ISP IP) with another IP for management and the actual answer is to use the main ISP IP coming in as the address for the 580 that is the same address as the WAN port on the Sonicwall (as detailed in the PM). Can’t test until next week though, but interested in your assessment as well.

The ISP Gateway address I gave in the PM is the IP of the ISP router, so I think I answered everything asked for.

I can’t see the PM but drop-in mode with a shared IP would only be used in the event that you only have a single static IP. If you have a /29 or greater subnet then you would use one of those available IP addresses as the WAN/LAN IP pf the Balance.

Let’s assume your firewall already has a WAN IP of .52 and its default gateway is .51 (the IP of the ISP router). In this case you could assign a .53 or other available IP as the WAN/LAN IP of the Balance in drop-in mode and everything will work just fine, no need to change anything on your firewall or ISP router.

Hope this helps.

Hi,

Thanks for the info.

Firstly, Share Drop-In IP is not necessary since this is not your option and you have sufficient IP. You may configure as below (I hide the first three octets).


Please ensure Sonicwall point x.x.x.1 as the gateway. You may find here for your reference.

Thank you for the reply. Will .52 calls (main domain) still come through to the Sonicwall even though the Peplink is set to .64 as above? I hope to possibly test this tomorrow night. The setup is relatively similar to the disaster from last week, although Shared IP is taken out of the equation (which I had the .52 address as).

I have contact with another company that uses Peplink similar to how we want to and they are using the main domain/ISP address as their Peplink IP address (so .52 in our case).

Yes, everything will flow through to the firewall as normal.

OK, this failed again, but not as bad as last time where all routing tables were redone. We still have internet connection. I attempted to set the Peplink to the .64 address as well as the .52 address hoping it would work. Basically whenever I plug in the cord from the main ISP the Peplink gets stuck saying “Connecting” and there is no end to it. With the 2nd ISP I have had no problems with it connecting and showing the IP address. I can also hook in the LAN port from the Peplink into the Sonicwall and get internet access through the 2nd ISP is working, but any connections asking for .52 (like our VPNs) will not work.

I guess the question at the moment is do you guys know of any problems connecting a partial DS3 fiber line into the Peplink from a connection standpoint (I have the IP, gateway and DNS numbers all correct) which is what the main ISP is (the reason the “Connecting” is ongoing, but I plug in the 2nd ISP to WAN2 and it connects right away which is cable internet)? I was told the fiber was a partial DS3, I’m not entirely sure if that is correct. There is a transceiver box on site that then goes to our rack. Any thoughts?

Thanks much for the help.

Hi,

As long as the provided connection is UTP cable with RJ45 connector then will be fine. Have you tested to connect a laptop directly to the transceiver box as below? Working fine?
Transceiver box (x.x.x.1) <— (x.x.x.52) Laptop.

If connection above is working fine, please put a switch (Unmanaged switch will do) in between the Transceiver box and Balance router. I need to confirm whether this is related to the issue of port synchronization.

Although I can test it at some point, I’m going to guess connecting a laptop will work directly given that the connection works into the switch. Basically it goes from the transceiver box to a patch panel which then is connected via UTP cable w/RJ45 connector to a switch which then goes to the Sonicwall currently. That line would go into the Peplink and then have continuous connection circle coming up. The cable internet connected to the WAN2 port has no problem connecting.

I am going to guess it is a port synchronization problem, so if you could point me to what needs to be done with that let me know. I’m hopeful I don’t have to put a ton of port numbers into the Peplink to make this work, but am interested in the steps needed to possibly get this to work. Thank you.

Hi,

This is the existing physical connection?
Internet <— Transceiver box <—UTP— Patch panel <—UTP— Switch <— Sonicwall

If above connection is true, please connection Peplink as below to test.
Internet <— Transceiver box <—UTP— Patch panel <—UTP— Switch <— (WAN1) Peplink (LAN) <— Sonicwall

That is exactly how I connected the Peplink and Sonicwall when it did the continuous connecting with the circle. I even tried just the Peplink with no LAN connection to Sonicwall and watched the Peplink Dashboard and it had the continuous connection. The cable internet was connected with the ISP IP address.

Hi,

Can’t guess anymore from here. Please open ticket for us to take closer look.

Thank you.