Sonicwall - PPPoE WAN + VLAN ID question

[seedubya]

A client has just gotten a new FTTH connection. The connection works perfectly through the supplied ISP router; a Huawei F2000 (POS!). The PPPoE properties (required by ISP to provide a fixed public IP) show that the connection has a VLAN ID of 10.

They also have an existing Sonicwall Soho gateway that's working perfectly with two other connections - one PPPOE and one DHCP. It has 2 free ports (X3 and X4) . I've tried setting X3 up as a PPPoE connection with the ISP router in Bridging Mode but I'm not getting a connection. I can't figure out how to attach a VLAN ID to this port and I'm told that this is the issue. The option certainly isn't available through the GUI. I have googled and have found a LOT of conflicting and confusion info and not being at all familiar with either Sonicwall or VLAN tagging on WAN connections it would be great if @NETWizz or one of the other network guys could give their opinion. I would also pay someone to work on this remotely if they're reasonably sure of a positive outcome.

 

[HCHTech]

Just call up Sonicwall support. They will remote in and just make it work. The accents are a struggle, but that will be the quickest way to make it go, and once they know they are talking to a tech, you can actually have a tech conversation with them to figure out how to translate what you were expecting into Sonicwall language.

If you learn something interesting - post it here. I don't think I've ever had to assign VLAN tagging to a WAN port like that, so.....following.

Edit: Don't know if the number is the same (I'm in the states), but I use 888.793.2830. They will want the serial number of the unit, and you have to have current licensing (which, obviously you do, right?)

 

[seedubya]

Just call up Sonicwall support. They will remote in and just make it work. The accents are a struggle, but that will be the quickest way to make it go, and once they know they are talking to a tech, you can actually have a tech conversation with them to figure out how to translate what you were expecting into Sonicwall language.

If you learn something interesting - post it here. I don't think I've ever had to assign VLAN tagging to a WAN port like that, so.....following.

Edit: Don't know if the number is the same (I'm in the states), but I use 888.793.2830. They will want the serial number of the unit, and you have to have current licensing (which, obviously you do, right?)

Yep, 2 years remaining on the licence.

 

[NETWizz]

A client has just gotten a new FTTH connection. The connection works perfectly through the supplied ISP router; a Huawei F2000 (POS!). The PPPoE properties (required by ISP to provide a fixed public IP) show that the connection has a VLAN ID of 10.

They also have an existing Sonicwall Soho gateway that's working perfectly with two other connections - one PPPOE and one DHCP. It has 2 free ports (X3 and X4) . I've tried setting X3 up as a PPPoE connection with the ISP router in Bridging Mode but I'm not getting a connection. I can't figure out how to attach a VLAN ID to this port and I'm told that this is the issue. The option certainly isn't available through the GUI. I have googled and have found a LOT of conflicting and confusion info and not being at all familiar with either Sonicwall or VLAN tagging on WAN connections it would be great if @NETWizz or one of the other network guys could give their opinion. I would also pay someone to work on this remotely if they're reasonably sure of a positive outcome.

I haven't specifically worked with a Sonic Wall enough to be able to comment much, but most firewalls like the SonicWall have built in virtual routers. From the sounds of things this is more like a built-in Layer-3 or Multi-Layer switch. The only thing I did was help a County Government migrate some NAT rules from a Cisco ASA to a SonicWall, but I remote controlled the unit, and it was intuitive at that point.

Simply put if you configure the LAN and WAN side of the connection into different zones, then the security rules should likely work. It sounds like the actual IP addresses for routing purposes are accomplished via an SVI for a VLAN interface, but I cannot speak specifically for SonicWall.

If, however, the VLAN interfaces are associated with a Virtual Router and the VLAN interfaces have IPs associated, then the virtual router has directly connected routes. Regardless, you would then need to create Layer-2 Interfaces and assign them to the proper VLAN ID to take part in the routing process.


I am sure you can read the SonicWall documentation, but this is ultimately what I would try. The thing is if this is for Internet, you will almost certainly need to NAT your RFC1918 Private IP addresses to your publicly assigned IP address. Specifically NAT it to the public IP you have on your Internet facing port, or if they are advertising a small block of IPs to you as is common (i.e. a /29 or 6 IPs is typical in business), you can NAT to one of those; since, they will be routed toward your router, you can simply use them as external IPs.

 

[seedubya]

@NETWizz I really appreciate the reply. I currently going getting the Sonicwall registered - it had never been done - so that I can get support on this directly from them. So, fingers crossed. I'll post back here with the solution as, I believe, an awful lot of FTTH\B\C connections now require this solution, on this side of the water at least. One thing to note is that Draytek devices support this configuration out of the box.

 

[NETWizz]

@NETWizz I really appreciate the reply. I currently going getting the Sonicwall registered - it had never been done - so that I can get support on this directly from them. So, fingers crossed. I'll post back here with the solution as, I believe, an awful lot of FTTH\B\C connections now require this solution, on this side of the water at least. One thing to note is that Draytek devices support this configuration out of the box.

I don't know what you are paying for a Sonic Wall, but may I suggest a Palo Alto PA 220 for about $1000. That isn't much and it is leaps and bounds better. It is like the difference of a Dell Power Connect to a Cisco Catylyst.

Another option is ...
Not sure if you can do this - but a 30 min call gets you a freebie . http://go.fortinet.com/LP=4524

They aren't stingy about giving out these $570+ firewalls free of charge. They actually sent me two of them one to test out in a location and the other to place in my lab. Now, obviously they are trying to get me to buy a bigger Fortigate and switch away from Palo Alto, but either way you can almost certainly get one freebie with no catch... where you never need to return it.

That Fortinet is a true, Layer-7 firewall like the Palo Alto and leaps and bounds better than any SonicWall. It can tell the difference between say FTP traffic and HTTP traffic regardless of what port for example.

 

[Slaters Kustum Machines]

Another option is ...
Not sure if you can do this - but a 30 min call gets you a freebie . http://go.fortinet.com/LP=4524

I was intrigued by this, then I noticed the requirements:

NO PURCHASE NECESSARY. Void where prohibited by law. Recipient must be of the legal age of majority where the recipient resides, a legal U.S. resident, and not: an employee of Fortinet, a Fortinet reseller or partner, a consultant, a Fortinet competitor, or a government affiliate. To receive the gift you must: (a) be an IT professional currently employed at a company with at least 500 employees, (b) complete the phone or in-person meeting with a Fortinet Account Executive, and (c) sign Fortinet's Product Awareness Gift Acknowledgement Form. The initial conversation will be conducted by a Fortinet Business Development Representative to qualify the need prior to scheduling.

 

[NETWizz]

Yes, but I bet they don't even ask. They didn't ask me how many people we have, but perhaps they already knew.

 

[HCHTech]

I don't know what you are paying for a Sonic Wall, but may I suggest a Palo Alto PA 220 for about $1000. That isn't much and it is leaps and bounds better. It is like the difference of a Dell Power Connect to a Cisco Catylyst.

I will gladly take your word for that, I don't even swim in the same pond of networking knowledge as you. However...

At my level (small to medium sized commercial accounts) I found I just can't be an expert in all brands. I recommend folks pick a brand and specialize there. You run into more scenarios that way and can work your way up to being an "expert" in that brand. You can take their certification training, get familiar with the various products and have a solution at the ready for most things you run into. There are lots of choices - pick one and stick with them until they give you a reason to leave.

Right or wrong, I chose Sonicwall - I've got about 150 in the field now, I'm enjoying the annual license renewal income and I've got a good idea what box I need for what client/situation. I would have a hard time telling which end was up with a Cisco, but that's ok with me. I haven't found the need to work with them. I've heard good things about both Palo Alto & Fortinet, but SW hasn't given me a reason to bet on another horse yet (and frankly, I hope they don't!).

 

[NETWizz]

I will gladly take your word for that, I don't even swim in the same pond of networking knowledge as you. However...

At my level (small to medium sized commercial accounts) I found I just can't be an expert in all brands. I recommend folks pick a brand and specialize there. You run into more scenarios that way and can work your way up to being an "expert" in that brand. You can take their certification training, get familiar with the various products and have a solution at the ready for most things you run into. There are lots of choices - pick one and stick with them until they give you a reason to leave.

Right or wrong, I chose Sonicwall - I've got about 150 in the field now, I'm enjoying the annual license renewal income and I've got a good idea what box I need for what client/situation. I would have a hard time telling which end was up with a Cisco, but that's ok with me. I haven't found the need to work with them. I've heard good things about both Palo Alto & Fortinet, but SW hasn't given me a reason to bet on another horse yet (and frankly, I hope they don't!).

Thanks... but there is a ton I cannot do like Databases etc. we all sort of end up in our own ponds at some point in our career, lol.

Whatever works for you is what you should use. That said, if you ever decide to try a Palo Alto, I will walk you through the setup of the first one, and you will probably never want to deal with another Sonic Wall again a few weeks after you deploy your first PA.

I agree with you Cisco is the wrong choice. The Adaptive Security Appliance (ASA) is a glorified router with some higher end layer-4 functionality, but it's still at its heart a traditional ports-based firewall. Besides, they are crazy expensive, and Cisco support is anything but helpful unless you pay ridiculous amounts for their TAC support.

 

[Slaters Kustum Machines]

Thanks... but there is a ton I cannot do like Databases etc. we all sort of end up in our own ponds at some point in our career, lol.

Whatever works for you is what you should use. That said, if you ever decide to try a Palo Alto, I will walk you through the setup of the first one, and you will probably never want to deal with another Sonic Wall again a few weeks after you deploy your first PA.

I agree with you Cisco is the wrong choice. The Adaptive Security Appliance (ASA) is a glorified router with some higher end layer-4 functionality, but it's still at its heart a traditional ports-based firewall. Besides, they are crazy expensive, and Cisco support is anything but helpful unless you pay ridiculous amounts for their TAC support.

I recall the networking guys at one of my corporate jobs going crazy with excitement about replacing ASA's with Palo Alto's. They were blown away by the features and ease of use.

 

[seedubya]

I recall the networking guys at one of my corporate jobs going crazy with excitement about replacing ASA's with Palo Alto's. They were blown away by the features and ease of use.

So, this turned out to be really easy in the end. All that's required is to leave the physical port (X3 in the case) unassigned and create a Virtual Child Port underneath it. Virtual ports have the ability to tag VLAN traffic so it was really simple.

Finally, it would NOT work with the Huawei modem in bridge mode - no way. However, bypassing the modem entirely and plugging into into the ONT did the job.