Posts Tagged ‘WAN’

How to Configure basic High Availability (Hardware Failover) on a SonicWALL

Friday, November 30th, 2012

Configuring High Availability (Hardware Failover) SonicWALL requires the following:

1. Two SonicWALLs of the same model (TZ 200 and up).

2. Both SonicWALLs need to be registered at MySonicWALL.com (regular registration, and then one as HF Primary, one as HF Secondary).

3. The same firmware versions need to be on both SonicWALLs.

4. Static IP addresses are required for the WAN Virtual IP interface (you can’t use DHCP).

5. Three LAN IP addresses (one for Virtual IP, one for the management IP, and one for the Backup management IP).

6. Cross over cable (to connect SonicWALLs to each other) on the last ethernet interfaces.

7. 1 hub or switch for the WAN port on each SonicWALL to connect to.

8. 1 hub or switch for the LAN port on each SonicWALL to connect to.

Caveats

1. High Availability cannot be configured if “built-in wireless is enabled”.

2. On NSA 2400MX units, High Availability cannot be configured if PortShield is enabled.

3. Stateful HA is not supported for connections on which DPI-SSL is applied.

4. On TZ210 units the HA port/Interface must be UNASSIGNED before setting up HA (last available copper ethernet interfaces).

 

Setup

1. Register both SonicWALLs at MySonicWALL as High Availability Pairs BEFORE connecting them to each other:

• “Associating an Appliance at First Registration”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6233#Associating_an_Appliance_at_First_Registration_

• “Associating Pre-Registered Appliances”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6235#Associating_Pre-Registered_Appliances

• “Associating a New Unit to a Pre-Registered Appliance”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6236#Associating_a_New_Unit_to_a_Pre-Registered_Appliance

2. Login to Primary HF and configure the SonicWALL (firewall rules, VPN, etc).

3. Connect the SonicWALLs to each other on their last ethernet ports using a cross over cable.

4. Connect the WAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect the switch to your upstream device (modem, router, ADTRAN, etc.)

5. Ensure the Primary HF can still communicate to the Internet.

6. Connect the LAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect them to your main LAN switch (if you don’t have one, you should purchase one. This will be the switch that all your LAN nodes connect to.).

7. Go to High Availability > Settings.

8. Select the Enable High Availability checkbox.

9. Under SonicWALL Address Settings, type in the serial number for the Secondary HF (Backup SonicWALL). You can find the serial number on the back of the SonicWALL security appliance, or in the System > Status screen of the backup unit. The serial number for the Primary SonicWALL is automatically populated.

10. Click Accept to save these settings.

 

Configuring Advanced High Availability Settings

1. Click High Availability > Advanced.

2. Put a check mark for Enable Preempt Mode.

3. Put a check mark for Generate / Overwrite Backup Firmware and Settings when Upgrading Firmware.

4. Put a check mark for Enable Virtual MAC.

5. Leave the Heartbeat Interval at default (5000ms).

6. Leave the Probe Interval at default (no less than 5 seconds).

7. Leave Probe Count and Election Delay Time at default.

8. Ensure there’s a checkmark for Include Certificates/Keys.

9. Press Synchronize settings.

 

Configuring High Availability > Monitoring Setting

(Only do the following on the primary unit, they will be sync’d with the secondary unit).

1. Login as the administrator on the Primary SonicWALL.

2. Click High Availability > Monitoring.

3. Click the Configure icon for an interface on the LAN (ex. X0).

4. To enable link detection between the designated HA interface on the Primary and Backup units, leave the Enable Physical Interface monitoring checkbox selected.

5. In the Primary IP Address field, enter the unique LAN management IP address.

6. In the Backup IP Address field, enter the unique LAN management IP address of the backup unit.

7. Select the Allow Management on Primary/Backup IP Address checkbox.

8. In the Logical Probe IP Address field, enter the IP address of a downstream device on the LAN network that should be monitored for connectivity (something that has an address that’s always turned on like a server or managed switch).

9. Click OK.

10. To configure monitoring on any of the other interfaces, repeat the above steps.

11. When finished with all High Availability configuration, click Accept. All changes will be synchronized to the idle HA device automatically.

 

Testing the Configuration

1. Allow some time for the configuration to sync (at least a few minutes). Power off the Primary SonicWALL. The Backup SonicWALL should quickly take over.

2. Test to ensure Internet access is OK.

3. Test to ensure LAN access is OK.

4. Log into the Backup SonicWALL using the unique LAN address you configured.

5. The management interface should now display “Logged Into: Backup SonicWALL Status: (green ball)”. If all licenses are not already synchronized with the Primary SonicWALL, go to System > Licenses and register this SonicWALL on mysonicwall.com. This allows the SonicWALL licensing server to synchronize the licenses.

6. Power the Primary SonicWALL back on, wait a few minutes, then log back into the management interface. The management interface should again display “Logged Into: Primary SonicWALL Status: (green ball)”.

NOTE: Successful High Availability synchronization is not logged, only failures are logged.

Provisioning TelePacific iNOC On A SonicWALL

Friday, January 7th, 2011

1. Login to SonicWALL

2. Check to see if SNMP is already in use on WAN IPs by checking under Network > Firewall.

ALERT: Enabling SNMP Management on the SonicWALL will cause issues with the SNMP firewall rules. You can ONLY have SNMP SonicWALL Management OR SNMP firewall port forwarding. Not both. This was confirmed with SonicWALL Tech Support.

3. Go to System > Administration

4. Scroll down and put a check mark for “Enable SNMP”

5. Click on Configure

6. Put in whatever you want for System Name, System Contact, System Location. You can leave Asset Number blank. Ask TPAC for their monitoring WAN IP and put that in the “Host 1″ field.

7. Go to Network > Interfaces

8. Click on the Configure icon for the Interface that you want monitored.

9. Put a check mark next to SNMP

10. Click OK

11. You can confirm SNMP is listening by using snmpwalk. On a Mac, the command can be:

snmpwalk -c private -v 2c “wanipaddress of SonicWALL”

or

snmpwalk -c private -v 1 “wanipaddress of SonicWALL”

The SonicWALL utilizes version 1 and 2c for SNMP.

Blacklisting IP addresses on SonicWALLs

Friday, April 4th, 2008

Blacklisting an IP from the WAN on a SonicWALL

1. Login to SonicWALL 2. Go to Firewall Rules 3. Go to Matrix 4. Go to WAN -> LAN 5. Create Rule 6. For Source, choose Create Network. 7. Change Zone to WAN 8. Name it whatever you want (ie. Blacklisted IP1) 9. Enter in IP 10. Save it 11. On the firewall rule, make sure to click on the check box for Deny 12. Source is Blacklisted IP 13. Destination is ANY 14. Service ANY (if you want to block all traffic). 15. Save it. 16. Move it up in the chain to be the first rule. 17. Test it.

Using Apple AirPorts

Wednesday, November 29th, 2006

Intro
AirPort is a local area wireless networking system from Apple Computer based on the IEEE 802.11b (which runs at 11Mbps) standard (also known as Wi-Fi) and certified as compatible with other 802.11b devices. A later family of products based on the IEEE 802.11g (which runs at 54Mbps) specification is known as AirPort Extreme, offering speeds up to 54 megabits per second and interoperability with older (802.11b) products.
AirPort and AirPort Extreme in common usage can refer to the protocol (802.11b and 802.11g, respectively), the expansion card or the base station.
In Japan, AirPort is known as AirMac due to trademark conflicts.

When logging into a non-Mac machine into an airport runniwn WEP you will need to translate the WEP password into Hex. This can be achieved by clicking on the password icon in the menu bar.

Airport Interface
Airport express and Airport extreme have a firmware limitation that limits the amount of concurrent connected users. Airport Express is limited to 10 concurrent users and the Airport Extreme is limited to 50 users.

Select “Enable interference robustness” when the base station is in an environment with other 2.4 Ghz devices that can interfere with your network. Devices that can cause interference include cordless telephones, some television repeaters, and microwave ovens.

The GUI interface of Airport Admin only allows for 1 port at a time to be directed to an internal IP.

WAN
Airport uses WDS. A Wireless Distribution System is a system that enables the interconnection of access points wirelessly. As described in IEEE 802.11, it allows a wireless network to be expanded using multiple access points without the need for a wired backbone to link them. Base stations connected thru WDS cannot share their internet connection with other remote base stations. WDS can automatically be configured by the main base station as long as you have all of the airports with their default settings and default passwords. WDS lists are built and tracked using airport IDs.

All base stations in a Wireless Distribution System must be configured to use the same radio channel, and share WEP keys if they are used. They can be configured to different service set identifiers. Since WDS needs all wireless stations to be on the same channel, changing the channel will break WDS.

LAN
PPPoE, Static IP, DHCP, WDS are all types of internet connections. PPTP is a VPN protocol. A virtual private network (VPN) is a private communications network often used within a company, or by several companies or organizations, to communicate confidentially over a publicly accessible network. VPN message traffic can be carried over a public networking infrastructure (e.g. the Internet) on top of standard protocols, or over a service provider’s private network with a defined Service Level Agreement (SLA) between the VPN customer and the VPN service provider.

PPPoE only requires Account name and User Password for a connection. PPPoE is primarily a DSL type of connection is used to only provide authorized access to the internet connection.

Which is NOT an option for the LAN Addressing when setting up DHCP Ranges?
There are three classes of internal IP addresses. A,B,C. Class A has range of 10.0.0.1 – 10.255.255.255 with a subnetmask of 255.0.0.0 which translates to about 16,777,215 addresses. Class B has a range of of 172.16.0.1 – 172.31.255.254 with a subnetmask of 255.255.0.0 which translates to about 1,048,576 addresses. Class C has a range of 192.168.0.1 – 192.168.255.254 which translates to about 65,536 addresses. Every address with a prefix with of 10., 172., or 192., is an internal IP.

DHCP needs to be turned on to be able to use the NAT feature. NAT might prevent users from printing to appletalk printers due to appletalk being an unroutable service. Distribute IP addresses needs to be uncheck if appletalk printing is needed.

Security
Using airports in conjunction with a RADIUS server allows for a stronger layer of authentication. Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and accounting) protocol for applications such as network access or IP mobility. It is intended to work in both local and roaming situations

A SSID is visible by default. By checking the “Create a Closed Network” button you will be hiding the SSID. In order to connect to a hidden SSID network, you must select “other” from the airport dropdown menu.

Access control feature on the Airport is used to allow only authorized MAC addresses wirelessly access to the Airport. This feature does not support access control on the wired interface. This is not very secure since there are ways to spoof MAC addresses. Airport allows for exporting of the list for backup purposes or for importing to another base station.

Features
As a feature Airport offers parental controls for AOL as long as the AOL client is installed and configured properly.

DMZ is available on the airport by selecting the “Enable Default Host at” check box in the base station options.

Updating the firmware is simple and easy. If the interface prompts you for a firmware upgrade, simply hit the upload button to upgrade the firmware.

When sharing printers on an airport or airport express use the bonjour protocol to setup the printers.

Wireless Networking

Friday, October 6th, 2006

Wireless networks use high frequency radio signals to connect computers to each other and to shared-resources for the transmission of data such as files, images or connection to the internet. This type of network is known as a Wireless Local Area Network (WLAN).
Wireless networks offer most of the same ability as a traditional wired LAN. If your wired network has the ability to access the Internet today, then your wireless LAN will be able to as well.
A wireless LAN typically consists of two components; a wireless network card and an access point. The access point serves as an aggregate point for all wireless LAN communications within it’s range.
The access point connects to a traditional wired LAN to provide access to existing applications and services. Each computer with a wireless network card can roam about freely within the range of the access point and have connectivity to other wired and wireless resources through the access-point.
In larger environments multiple access points are deployed to provide greater coverage throughout a floor or entire building. This gives complete mobility for any number of devices. In this situation connectivity is maintained uninterrupted from one access point to another. This is referred to as roaming and is analogous to cellular phone service we use today.
Using technology based on the 802.11a, 802.11b, or 802.11g industry standards, we can design your network to support data rates from 11 Mbps to 54 Mbps with maximum throughput.
An access point when paired with a wireless network card provides wireless network communications. It’s closest equivalent in the wired LAN is a hub or switch.
Although access points typically transmit signal from 100 meters to 300 meters, when combined with advanced antenna designs we can implement your network to support ranges as far out as ½ mile (or greater). Conditions like the composition of walls, antenna placement and other variables play a role in this effective distance.
Ad hoc is a mode of operation which allows computers to communicate wirelessly amongst themselves without an access point.
It’s generally recommended to always have an access point when more than two computers need to communicate to each other wireless or when connectivity to a wired LAN is required.
This varies significantly from one manufactures’ access point to another but a practical estimate is 15 to 20 users per access point.
Three18 delivers solutions based on the 802.11b, 802.11a, or 802.11g standards. This technology is not only cost effective but also provides excellent performance. The definitions for these standards are as follows:
802.11b
IEEE 802.11b is a technical specification issued by the Institute of Electrical and Electronic Engineers (IEEE) that defines the operation of 2.4 GHz, 11 Mbps, Direct Sequence Spread Spectrum Wireless Local Area Networks (WLANs). The 802.11b standard ensures that all wireless Ethernet products built to this standard are compatible.
802.11g
IEEE 802.11g is a technical specification issued by the Institute of Electrical and Electronic Engineers (IEEE) that defines the operation of 2.4 GHz, 54 Mbps, Direct Sequence Spread Spectrum Wireless Local Area Networks (WLANs). The 802.11g standard ensures that all wireless Ethernet products built to this standard are compatible and backwards compatible with 802.11b.
802.11a
IEEE 802.11a is a technical specification issued by the Institute of Electrical and Electronic Engineers (IEEE) that defines the operation of 5 GHz, 53 Mbps, Direct Sequence Spread Spectrum Wireless Local Area Networks (WLANs). The 802.11g standard ensures that all wireless Ethernet products built to this standard are compatible and will co-exists with other wireless specifications.
Solutions deployed by Three18 integrate the highest levels of security for protecting student grades, test scores, attendance records, or sensitive administrative files. In addition to the standard wireless security options such as 128-bit data encryption and MAC address filtering, our solutions include National Institute of Standards and Technology (NIST) certified wireless security techniques that are currently being used by the Department of Defense wireless networks.
This varies from one manufacture to the other but in general you can expect that all major operation systems are supported (i.e. Microsoft Windows 98, ME, 2000 Professional & Server, Mac OS, Linux, etc.)
It is possible today to build an entire network based on wireless technology. But in most cases an environment will have an existing wired LAN that they will wish to extend via wireless to leverage some of it’s advantages. Over time there should be a shift to more exclusively wireless LANs.
802.11a /802.11g are IEEE standards for faster and more capable wireless LANs. The answer to this question depends on the applications that you want to run over the network and whether there is an existing 802.11b network in place. Applications that require higher data rates such as video streaming would operate more efficiently on 802.11a and 802.11g networks. If you have an existing 802.11b network in place there are interoperability issues that must be considered.
For 802.11g networks, there are no limitations with existing networks since both operate on the same 2.4 GHz radio frequency. This is the main advantage of using 802.11g.
Since 802.11a networks transmit signals over a 5 GHz frequency, 802.11b clients will not communicate with 802.11a access points and vice versa. The good news is that the technology providers have begun offering “dual band client cards” so that end-users can roam between the different network implementations.
Bluetooth is a 1 Mbps technology designed for low cost and low power to connect personal devices such as cell phones, PDA’s, notebooks and other personal devices. 802.11b is a full LAN connectivity solution, designed to provide full network services at Ethernet data rates. 802.11b and Bluetooth both operate in the 2.4 GHz frequency range using different types of spread spectrum technology.
The Wireless Ethernet Compatibility Alliance (WECCA) was established in 1999 to certify interoperability of Wi-Fi (IEEE 802.11) products and to promote Wi-Fi as the global wireless LAN standard across all market segments.
Wi-Fi is an certification for 802.11b devices. All current product offerings are certified by WECA for Wi-Fi compliance in order to insure seamless interoperability with other manufacturers products.

A wireless network provides fast and flexible access to centralized content for applications particular to their environments. With this technology, organizations can establish network connectivity anywhere within the designed coverage area including conference rooms, offices, outdoor structures, and difficult to reach locations. Organizations can achieve gains in productivity by utilizing mobilized computers for real time applications such as data entry, inventory control, attendance, and etc. A wireless network infrastructure can also offer cost advantages over traditional wired systems through the elimination of the need to run expensive conduits and cable.