1

We have two of our sites connected via an MPLS that bypasses our firewall. Traffic between the sites, when hitting our core switch is routed directly to a second interface on our ISP's router.

The one thing we could never figure out how to fix is managing our firewalls across the MPLS. The LAN interface will not respond to pings or https requests, forcing us to enable management via WAN which is awful.

For our IP based VPNs between our non-MPLS sites, we just used the setting "Allow management via this SA" on the VPN configuration, which creates access rules allowing management/ping from zone VPN to LAN, and that works perfectly.

We tried to get the same to work between the MPLS sites by creating an unused IP VPN and setting that option, but even that didn't work which leaves me with no idea what else to try.

Geoff
  • 57
  • 1
  • 5

2 Answers2

0

Aside from firewall policies, each firewall needs a static route to the other site; otherwise it will just not know how to reach it via the MPLS router.

Let's assume the following, since you didn't actually describe your network:

Site 1:

  • Subnet: 10.1.0.0/16
  • SonicWall LAN interface: 10.1.0.1
  • MPLS router: 10.1.0.10

Site 2:

  • Subnet: 10.2.0.0/16
  • SonicWall LAN interface: 10.2.0.1
  • MPLS router: 10.2.0.10

You need to add the following static routes to your firewalls:

  • SonicWall in Site 1: "you can reach 10.2.0.0/16 via 10.1.0.10"
  • SonicWall in Site 2: "you can reach 10.1.0.0/16 via 10.2.0.10"
Massimo
  • 70,200
  • 57
  • 200
  • 323
0

  • If the packet come thru the WAN's port you have no choice but to activate the setting. (Enable management via WAN)

  • If the packet is seen from a LAN's port, but only from another subnet you need to define those subnet in the sonicwall, and to make allow rule for them. See that picture for an actual example;

enter image description here

nb. You miss a network diagram to help

yagmoth555
  • 16,758
  • 4
  • 29
  • 50