centos 7 as a router?

[jlehtone]

Good, we are making progress.

My bad trying to put each subnet down on the diagram makes me head want to explode

Do not worry. I know that feeling. We can pretty much ignore the other subnets; a solution that works for one, should work for all.

Now I realized I was referring to a logical topology worksheet they left me , In the ISP's physical topology they have fiber coming into the building to my first telephone closest that is connected in what I assume is a layer 2 device... then they installed a Cisco 3945E router that is what I have to use as the gateway to the internet,

The AT&T 3945E Router is configured where I have 30 public ip addresses.

Image that shows SonicWall device and (unconnected) Sophos pair

First, an active/backup HA pair of Sophos is logically one device, but need two wires on the WAN-side of it.

I'll try to draw again:

Code: Select all

LAN-A === BOX-A --- 3945E --- LAN-B --- SonicWall --- LAN-C --- MEDVPN --- LAN-D

=== is fiber
--- is Cat[567]
LAN-A is ISP's subnet
LAN-B is your public x.y.z.w/27 subnet
LAN-C is some private subnet
LAN-D is the "OffLAN" subnet
BOX-A is probably tiny, powered and simply a fiber-copper converter. The 3945E seems to have SFP-slots and could thus connect fiber directly.
3945E acts as DHCP and gateway for the the x.y.z.w/27? That leaves you 29 public addresses.
SonicWall has several public IP addresses (and port forwarding rules for them).

I tested a layer 2 switch and I couldn't reach the internet with it in the topology.

That is interesting. You had this?

Code: Select all

LAN-A === BOX-A --- 3945E --- switch (LAN-B) --- SonicWall --- LAN-C --- MEDVPN --- LAN-D

Replacing a patch cable with patch+switch+patch should make no difference. Unmanaged L2 has no IP address of its own.

Unless ... The 3945E has apparently four ports. Routed ports, presumably. It probably has been configured to host x.y.z.w/27 on one port, the port where cable from SonicWall is connected to. If you did not try with that port, but plugged the switch to another port of 3945E, then you probably tried a disabled port.

Further possibility is that the LAN-B is a tagged VLAN that 3945E and SonicWall know and use, but you tested with untagged device.


If you have 29 addresses, then you should be able to connect 29 devices to the 3945E and L2 switch is the way to connect multiple devices to the port on 3945E.

Yes, now it makes sense to get rid of LAN-C. To create:

Code: Select all

... 3945E --- LAN-B --- firewallS --- LAN-D

The firewallS is multiple devices that act as firewalls: SonicWall, R2, MEDVPN, Sophos(es), ...
All these firewalls have 3945E as the default gateway.
Other members of LAN-D have one of these as default gateway and might have others as static routes to VPN tunnels.


This requires the (L2) switch in LAN-B. Recheck (with AT&T) why you failed previously.


It makes no sense at all to create:

Code: Select all

... 3945E --- LAN-B --- C7 router --- LAN-E --- firewallS --- LAN-D

[bryan1]

I may have assigned the wrong ip of the layer 2 switch between the ISP 3945E and Sonicwall but layer 2 it shouldn't matter and like you said about the VLAN on the router maybe a vlan id that is different from the default vlan 1.

The Route from the 3945E must have been defined which makes the next device be defined to match it. I am going to see if the ISP will show me the router config to get that question out of the way...

Additional details about the ISP equipment...

The internet modem where the fiber comes into looks like a switch...its a ciena 3930 and the ISP 3945E router also has a 2-port gen multipflex trunk/wan int. card and a 32-channel high-density voice and video DSP module spare.

[bryan1]

Here is advice from ISP

"Based on our discussion and the diagrams you sent me, I can recommend 2 things: first is to have a custom VLAN or VPN tunnel configured on the ISP 3900 series router, to accommodate all your devices in your network.

You may also want to consider getting an additional IP block, although it will cause the problem of you reconfiguring all your devices with this new block. I don't think an additional router is necessary, although it is an option.

FYI, we do have other customers who have similar setups as yours and they did end up getting more than 1 router from us. I highly suggest you consult with your ISP account manager, as all these options require a service order to be processed by him/her."

[jlehtone]

I clearly do not speak marketing for most of that ISP talk makes little sense.

If you already have a sufficient block of public IP's, then adding more blocks will not make any difference.

If you already have a block of public IP's, then the ISP hardware either routes between your public subnet and ISP subnet, or bridges so that only addresses from your subrange block can use the physical connection. Either way no additional VLAN or VPN makes any sense, for they are about additional subnets.


If the ISP router does currently enforce some VLAN ID, then your Sonicwall config must use it too. Otherwise the existing connection would not function. In other words, that info is in your device.


The diagrams to show to ISP are simple. You have now:

Code: Select all

ISP 3900 series  ---(patch cable)--- Network device with (some of) your public IP

You need to have:

Code: Select all

ISP 3900 series  ---(patch cable)--- switch ---(K patch cables)--- K network devices, each with public IP(s) from your block

L2 switch should be fine, assuming it does not touch VLAN ID's on packets.

If you want a managed switch with management IP, then create a separate VLAN for it. You don't want that traffic to reach the ISP 3900 series. Ever.