I currently admin a small network, it has two separate sites (site1 site2). Each site has independent internet, and a Sonic NSA 220 Firewall. There is currently VPN connecting the two Sonic firewalls, so the sites can communicate without any issues.
Our ISP has just installed a 'router' at each site (ISP Router 1 & 2), so it now presents two ports…Internet Port (ISP-WAN) and a inter-site port (ISP-LAN). This is so we can eliminate the VPN, and route traffic direct through the ISP cloud (ISP-LAN)
I am wanting to know how to set up the ports routing, so I can tell the firewall to route internal traffic through this new ISP-LAN port.
Each site has a DC (same domain) and a separate DHCP (sites have different IP ranges).
I was thinking I could connect port X6 on each firewall to the ISP-LAN port, this would connect the two sites (Blue Line), but not sure how to configure the routing/rules.
Everything has the Sonic WAN port as its default gateway. I don't want the DHCP traffic etc broadcasting between sites.
Look forward to any help on this one.
Thanks
Best Answer
You are correct, if you have a free interface (eg. X6) on each router connect ISP-LAN at each site to that interface. I don't know if the SonicWALLs support VRRP but it is not needed. DHCP will not cross subnets unless you enable an IP Helper.
The ISP-LAN connection replaces your VPN but you will need to add some routes (which would have been implied or created previously due to the VPN). I'm guessing your ISP will refer to this has a managed VPN, an MPLS or a VLAN network.
However you will need to know what IPs/network your ISP has assigned to each ISP-LAN (where you have "???" in your picture).
First Case: IF your ISP has given you IPs on your subnets at each site (eg. 10.10.1.254 at Site 1 and 192.168.1.254 at Site 2) then you can route via these IPs. Assign (or leave) X6 on the LAN (same as X2/X3/etc). Then go to Network | Routing. You will need to create a route on each site (or you could use RIP, but not needed for 2 sites).
At Site 1 your route will be something like:
Create a similar route at Site 2 (but Destination of Site 1's Network using the Gateway of ISP-LAN at Site 2 [192.168.1.254]). I've done this for clients when this is how the ISP has configured things (used IPs on the local LAN to provide access via "the cloud").
Second Case: HOWEVER, if the ISP has used a DIFFERENT subnet for the ISP-LAN connection (such as 172.16.1.x or something) then you will need to configure X6 to be on that subnet, you won't need NAT. I've also done this for clients (where the ISP provides a 3rd subnet to join to 2 sites) -- in this case X6 will be on that 3rd subnet and the routes will be created automatically [just allow access with firewall rules].
So a QUESTION for you: What is the IP/subnet of the ISP-LAN at each site? Is it as you have in your picture (the X6 / ??? IPs) or is it something else?
EDIT: (since I can't add a comment)
I'm glad that helped. You would have DHCP traversing if the ISP configured the link as a Layer 2 link (essentially a VLAN) between the 2 ISP routers -- DHCP wouldn't cross Layer 3 without assistance but will Layer 2 (like on a switch). Now that you have added a different subnet to the link (your 10.0.0.1/30 subnet) you should be fine (the routers won't pass DHCP broadcast traffic beyond the subnet).
You can configure the routes with Probes so that they will deactivate if something fails, if you convert your VPN from an IPsec Policy VPN to a Tunnel Based VPN (which uses routes for the VPN) you can have it fail-over if you wanted. BUT since the ISP's VLAN and the Internet based VPN are running through the same ISP router the chance of only ONE failing is slim. (if you had a different back-up ISP then having a backup VPN would be a good idea)
As for the speed issue, I would check if you have BWM enabled on either router, other than that contact your ISP.