Hello, could you help me figure out how I can create a rule that will send all traffic from a subnet coming in from a SPeedFusion VPN to be reachable to a server behind my firewall
My current setup is: Site1<—>SPeedFusion_VPN<—>Site2_HQ<—>SonicWall_Firewall
Sonicwall is connected to Lan 1, I am able to reach to Sonicwall interface on Lan-1, but unable to reach services behind the sonicwall.
Is it possible to forward traffic coming from the VPN to be sent over Lan-1? This way the Sonicwall will be aware of the traffic and will be able to route it back to the endpoint.
Hi
Could you give us some info on you IP address structure, routing and also what hardware you are using?
Is it just one subnet that the traffic is coming from (or are there multiple subnets but you only want to send one to the firewall?)
The easiest way would be to make a VLAN and make LAN one an access port for that VLAN.
Then in outbound & inbound rules, create a rule like in the image below;
There are 7 networks connected to the HQ via SpeedFusion, all other sites are running Balance 310.
Peplink Balance 380 (IP 192.168.1.1) Sonicwall NSA3600 (IP 192.168.1.2)
So you are saying to create a new vlan and add the peplink to that vlan let said Peplink IP 192.168.1.1 and SonicWall 192.168.2.1?
I don’t understand the outbound policy rule. Do I need it? If the SoniWall receives the traffic it will send it out of Lan-1 and the Peplink should route the traffic.
I’m trying to understand you set up a bit better and understand what you are trying to achieve. Do you have a drawing?
Are you running traffic from the 7 networks back to the HQ, then you want to put it through one main firewall and then break it out to the internet from the HQ?
Attached is a quick rough diagram; I would like Subnets 192.168.10.0/24, 20.0/24 and 30.0/24 be able to access content on the 192.168.2.0 and 192.168.4.0 network which are behind the Peplink Lan-1 Interface.
Am not sending all traffic to the HQ, only traffic intended for the internal network Ex. traffic from 192.168.10.0 accessing a server on 192.168.4.0 subnet.
All used to work fine before adding the SonicWall.
I did a packet capture on the SonicWall and it does not see the traffic from those subnet in the SpeedFusion VPN, which may be because the Peplink router does not know where to send that traffic.
Hey. Thanks for the diagram, it makes understanding the situation much easier!
Have you added rules to the Sonic Wall allowing traffic from the remote subnets to access the local subnets?
You will need something like a bypass rule.
Remember that the Sonic Wall will be treating all traffic arriving at it as traffic from the internet, not a private subnet so its probably blocking this.
The Peplink routers would not know where to send the traffic as they can probably no longer “see” the subnets and equipment behind the Sonic Wall.
If you ping from the a Balance 310, do you get a response from a device on the 192.168.2.0 subnet?
Also ping the Sonic Wall and then the Balance 380.
This will help understand how far through the network your traffic is getting.
Yes, I added access rules on the Wan–> Lan interface to allow traffic from Ex. 192.168.10.0 network.
Yes, am able to ping to all the Balance 310 from subnet 192.168.2.0 as well as the Balance 380.
From the remote sites I am able to ping the Balance 380 network 192.168.1.0 as well as the SonicWall interface.
You need static routes for 192.168.xy.0/24 on your Sonic Wall with the balance380 as gateway.
Your Remote Sites need static routes for 192.168.2.0 and 192.168.4.0 via PepVPN.
You Balance380 needs a static route for the networks behind the SonicWall with the sonic wall as the gateway
What is the default gateway on your workstations and servers ?
So SonicWalls configuration is:
LAN1: 192.168.2.1/24
LAN2: 192.168.4.1/24
WAN: 192.168.1.2/24 Gateway set to 192.168.1.1 (the balance380)
So every traffic that is not within 192.168.2.0 and 192.168.4.0 will be forwarded to the WAN.
So the B380 needs static routes to the networks behind the sonic wall:
Your Remote B310 need to know how to reach Workstation and Server-LAn in your HQ.
Add static routes for each remote B310
→ 192.168.2.0/24 GW 192.168.1.1
→ 192.168.4.0/24 GW 192.168.1.1
If you force all traffic through the tunnel no static routes are necessary on the remote B310.
