Internet Routing Issue - Sonicwall

[timberdoodle]

We have both a Comcast and Verizon connection at our school. They are going into a Sonicwall NSA5500. The configuration is such that if the primary - Comcast - fails then the secondary - Verizon - will pickup the internet traffic. The issue we are having is with local Verizon customers. When we got our IP address from verizon it was a /24 subnet with a gateway starting at .1

I thought this was strange as every other time I have gotten a block of static IP addresses from an ISP it has been a /29 or /28 at the most. But the ISP confirmed that this is what we were supposed to get and it should not cause problems.

A local business we deal with happens to be on our subnet with the same next hop Gateway. When I perform a traceroute to them, the traffic goes directly out the Verizon WAN interface to our common gateway, then to the local business. This, all while the Comcast Interface is our dedicated primary for all traffic.

I spoke with Sonicwall and they explained that the firewall is simply taking the most efficient path which makes sense to me in some regard but is still confusing why it would use the interface when policy says it is a failover.

Now, this local business tries to send us email with their on premise Exchange - we also have Exchange. The emails will sit in their queue indefinitely and ultimately fail to reach us. If I disable the Verizon interface the emails come in perfectly fine - even some in their queue will immediately come through once I disable it. I thought this was a DNS issue but it is not or at least our DNS is all configured correctly where we have no other problems with email. Our MX records utilize the static IPs from Comcast - nothing is using our static Verizon addresses.

Anyone have thoughts?

 

[Mackintire]

Calling Dashpuppy.....

This one is all you

 

[Haven]

What if you were to put in a lower priority MX record for a Verizon address? This way if something happens to your Comcast link you still get e-mail coming in.

Open port 25 on that link to your Exchange server.

My guess is that BGP is dictating that the fastest route to them is via the Verizon link so it uses that. Though why they are getting that as the return route if you aren't advertising it is a good question.

 

[timberdoodle]

What if you were to put in a lower priority MX record for a Verizon address? This way if something happens to your Comcast link you still get e-mail coming in.

Open port 25 on that link to your Exchange server.

My guess is that BGP is dictating that the fastest route to them is via the Verizon link so it uses that. Though why they are getting that as the return route if you aren't advertising it is a good question.

I absolutely agree with the MX record as being the final plan and it would fix it. I just don't understand why Verizon gave us both the same gateway and why it is communicating despite my efforts to prevent it.

One tidbit of information is the email headers from this person show it coming from an IPv6 address and advertises their local host name (server.network.local). Still shouldn't impact their ability to see my MX records on Comcast.

 

[Skud]

Sounds like perhaps Verizon has a shared connection for the whole building and they just divvy it up to the tenants.

Can I ask how you have your dual WAN configured? Do you have it configured as a basic failover group, ratio, or round robin?

As for the email issues, you're going to have to work with them to do a few tests, namely:

From their network:

1) Do an MX record lookup for your domain
2) Make sure the A record specified in the MX resolves to the correct IP
3) Run a traceroute on the IP.
4) Can you telnet to port 25 on your comcast interface (I'm guessing not)

It almost sounds like the mail traffic is coming in the Comcast link and going out the Verizon link. On the NSA5500 you can test this by running a packet capture while doing #4 in the above. You should see the connection come in on the Comcast, and then note where the Sonicwall is forwarding the traffic for the reply.

Riley

 

[/usr/home]

So they assigned you a /24 or your static ip happens to be in a /24 subnet? I have two static ips and they are both on a /24 subnet with .254 being the gateway.

If they are the same gateway they are both on the same router interface.

Can you set a default route on the sonic wall with a lower preference going out the Comcast link?

If your mx points to your Comcast ip, I don't see how it could be trying to go via the Verizon link...

 

[timberdoodle]

Riley,

This is not a shared property. The business with the issue is a mile down the road, same town but we have our own line. The WAN is in a failover with the Verizon taking 3rd priority, we actually have two comcast connections.

Mxtoolbox properly shows our MX records. Our A records match our MX record and our pointer record matches them. There is no problem with any of that otherwise we would be having issues with other senders which we are not.

I cannot telnet to port 25 on our interfaces because we use a spam appliance which directs the traffic to our email server.

The problem seems to be with our Sonicwall - basically if I traceroute out, it will always go over the Verizon network to their office.

I can do a telnet to their mail server. When I have the Verizon interface active (but 3rd priority in failover) and I do a HELO from their server it says Hello [Verizon interface]

Once I shut that interface down and do the same steps I get Hello [Comcast Interface]

/usr/ I thought about the default gateway which is created automatically and cannot be changed. It has an identical metric but the priority shows as #4 - higher than the others.
We only have a block of 5 static IPs but the subnet mask is for a /24 and our default gateway is way on the opposite end. block is something like .208-.212 but the gateway is .1

 

[Skud]

Well, believe it or not, but what you're seeing or normal (except for the not working part, after thinking about it more, I think I know what is happening).

From the Sonicwall's (or any router's) point of view, anything on that Verizon subnet is on the same network as you, so it's going to use that Interface to communicate. Out of all the WAN connections you have, the Verizon link is the most direct since it's physically in the same network. When you unplug the Verizon link, there is no longer a direct connection to that /24, so it must use another link.

As long as that connection is active, the traffic destined for that Verizon subnet is going to go out the Verizon interface. What you need is a router that will ignore or remove the routing entries for links which are not considered to be "active", until failover is needed. I'm not sure of what would do that.

Now, for them connecting to you, check your Sonicwall logs and look for entries regarding spoofed addresses. It could be blocking the incoming traffic on the Comcast interface because the source address of that traffic is on the subnet of your Verizon interface. Basically, the Sonicwall thinks it is seeing traffic from the Verizon interface on the Comcast interface and it's probably confused. You may be able to turn that checking logic off. I would check with Sonicwall support.

Either way, I think your only two options in this case are to:

1) Ask Verizon to move you to a dedicated, smaller subnet (probably the best option)
2) Setup rules on the Verizon Interface to allow the traffic you want. The other company will need to setup a rule in Exchange for your domain to ignore your MX and send to the Verizon interface.

Any other companies you deal with on your same Verizon subnet would need to do that same. So, #1 is the best option.

Riley

 

[timberdoodle]

Thanks Riley. When we spoke to our ISP on Tuesday they claimed that Verizon said there was no known issue with our configuration. Of course, I'm assuming whoever that is has no idea what VLSM is.....

Anyways I think you are spot on with that and I'm going to push to get our IPs changed. I don't want this to surface again for some other service I am not aware of.

 

[timberdoodle]

Ok so....

I spoke with Sonicwall regarding routing SMTP out the primary interface. Everything was configured properly so they pointed fingers at the /24 mask.
I got Verizon "network technician" too look at it. After a day they came back and said there was nothing they could do. The town is configured as a MAN and although it would be possible to move to another subnet it is out of the scope of our SLA. "Best effort service" I guess.

I got Sonicwall tier 3 support who basically changes the subnet mask on our Verizon interface to a /30 and everything still works. Which is weird cause I tried a /28 prior and that failed. Anyways, seems to be working inkwell with the SMTP route statement.