BrandonTek » Blog Archive » Solution to your SonicPoint WLAN woes.

Solution to your SonicPoint WLAN woes.

admin | Saturday, February 12th, 2011 | 75 Comments »

I recently blogged an article on how to quickly and easily configure a SonicPoint with your SonicWALL firewall. If you haven’t read it, you can read it here before reading further. If you have read it, keep on reading!

Below is an example of a typical but small deployment utilizing a SonicPoint for wireless access.

Small Network Deployment

As you can see, it’s pretty straight forward. Your LAN users are connected to the X0 port(LAN zone) and your SonicPoint is connected to the X6 port(WLAN zone).

This kind of scenario assumes that your firewall and SonicPoint are in close proximity with one another.

The Problem

There are times where the firewall is in one location, but placement of the SonicPoint is well out of range of your firewall. Below are two scenarios where your Sonicpoint is in another location.

Scenario#1: In this scenario, the firewall is on the first floor while the SonicPoint is somewhere around the 5th floor. You only have one feed that is already connected to the LAN zone.

Scenario #1

Scenario#2: In this scenario, the SonicPoint is in a completely different building!

Scenario #2

I want to explain why this causes a problem with the SonicPoints. The SonicPoints need a direct connection to the WLAN zone. So if X6 is assigned to the WLAN zone, that means that your SonicPoint needs to connect to that port. If you’re on the 5th floor, or in another building, how can you connect to it?! You can’t run another cable from X6 all the way up to the 5th floor(well I suppose you can but it would be costly) or run another feed to the other building.(again, costly)

You may also think, why not just connect the SonicPoint to the same LAN zone as everyone else, can’t the SonicPoint just obtain an IP address from the LAN zone like everyone else and then broadcast its own wireless traffic? Nope!

SonicPoints use the SDP protocol. It’s a layer-2 broadcast that helps automatically provision SonicPoints. Here’s some info on how SDP works.

Advertisement – SonicPoint devices without a peer will periodically and on startup announce or advertise themselves via a broadcast. The advertisement will include information that will be used by the receiving SonicOS device to ascertain the state of the SonicPoint. The SonicOS device will then report the state of all peered SonicPoints, and will take configuration actions as needed.
Discovery – SonicOS devices will periodically send discovery request broadcasts to elicit responses from L2 connected SonicPoint units.
Configure Directive – A unicast message from a SonicOS device to a specific SonicPoint unit to establish encryption keys for provisioning, and to set the parameters for and to engage configuration mode.
Configure Acknowledgement – A unicast message from a SonicPoint to its peered SonicOS device acknowledging a Configure Directive.
Keepalive – A unicast message from a SonicPoint to its peered SonicOS device used to validate the state of the SonicPoint.

The Solution

So what is the solution when you only have one feed?

VLAN’s
Trunking

VLAN’s

Up until SonicOS 5.6, only the NSA class series had the ability to create VLANs. Basically sub-interfaces, or virtual interfaces. With the new release of SonicOS 5.8, SonicWALL is now giving you access to VLAN’s on lower end firewalls, such as the TZ series. What this means is that you now have greater flexibility with your TZ series that once were only available to higher end models!

The trick is to create a new sub-interface off of X0.(LAN zone) But when you create this sub-interface you must assign it a separate VLAN ID and zone. The default VLAN is 1. So we can’t use that. So we’ll use VLAN 10(it can be any number lower than 4095). The zone will be WLAN! How can you have WLAN within the LAN zone?

The rules for SonicWALL zones is that a “zone” cannot be apart of two or more interfaces. So it can only belong to one interface. But by creating a sub-interface, SonicWALL treats the sub-interface as a virtual interface with all the same properties as a real physical interface. This means that the sub-interface can be a separate zone, effectively tricking the SonicWALL!

Check it out!

Creating the VLAN (sub-interface)

Trunking

It doesn’t stop there though! You cannot just plug the SonicPoint into X0 port and expect it to work. The SonicPoint cannot form a trunk! If it can’t form a trunk, then only the default, native VLAN traffic can pass through, and that is VLAN 1, the LAN zone traffic. This means your SonicPoint will not automatically provision itself with SDP.

What you will now need to do is trunk your X0 port(LAN zone) to a switch that understands trunking. In my example, I use a Cisco 2960G switch. The 2960G switch only supports the 802.1Q protocol so it makes creating the trunk a lot easier.

Below I connect the X0 port on the SonicWALL firewall to the GigabitEthernet 0/1 port on the Cisco 2960G switch.

TZ 210 to 2960G

Configure the switchport for trunking and verify.

Switchport Trunk Configuration

Switch Trunk Verification

As you can see, G0/1 is now trunking with SonicWALL’s X0 port.

This means that now you can carry multiple VLAN traffic. The native VLAN and the newly created VLAN 10 are being carried to the Cisco 2960G switch. The final task is to now assign a switchport to VLAN 10 so that the SonicPoint can connect directly to it. Below, I assign GigabitEthernet port 20 to VLAN 10.

Assign port 20 to VLAN 10

As soon as I connected the SonicPoint to port 20, it automatically provisioned and started broadcasting!

SonicPoint Operational

Notice what the interface says. It is seen as X0:V10. The X0 indicates the X0(LAN zone) and the V10 indicates your VLAN ID: 10, but the SonicPoint thinks it is connected to the WLAN zone because it doesn’t know any better!

Hope this offers you some ways to continue to use your SonicPoint(s) in your environment. For the multiple building scenario, it’s basically the same concept. Just make sure that the switches you are using to connect to one another are trunked, and that you assigned the proper port to the correct VLAN.

Comments and feedback are welcomed! Thanks again for reading!

Tags: 2960G, 802.1Q, dot1q, firewall, SDP, SonicOS, sonicpoint, sonicwall, Sonicwall Discovery Protocol
Posted in Networking, Sonicwall

Joe Quevedo

Brandon,

I have found your blog today and read through just about every post regarding working with SonicPoints and Cisco devices. You may have already answered this question and I may have misread it. I have a SonicWall NSA 2400. The sonicpoints currently connect through the network to the X4 port which gives them an address assigned by the sonicwall. My question is if it is possible to allow the SonicPoint to broadcast one SSID ‘Guest’ and also broadcast a 2nd SSID ‘Corp’ but the ‘Corp’ SSID would assign an ip address from a different DHCP that is not the SonicWall.

Vlan 10
SSID – Guest
DHCP is SonicWall

Vlan 20
SSID – Corp
DHCP is Microsoft DHCP server

I am pretty sure I have the Cisco portion configured properly.

interface GigabitEthernet3/0/18 switchport trunk encapsulation dot1q switchport mode trunk

On my router, where the Vlans reside I have a IP Helper address for Vlan 10 to point to my SonicWall then an IP Helper Address for Vlan 20 to my other DHCP Server. When I keep the port as an Access port for either Vlan I am able to get an address from their respective DHCP servers.
My SonicWall is supported by Time Warner, they have stated it is not possible to do this. I am looking for a second opinion.
http://twitter.com/brandontek Brandon Kim

Hi Joe,

That is an interesting question that I have not come across so you are correct in that I have not covered this. Although I don’t want to officially say ‘no’, because I have yet to actually try that kind of setup, that is something I may need to “lab up” before I could really confidently tell you yes or no.

Let me see if I have some time this weekend and do a little labbing and get back to you.

So to simplify your question, you basically want the CORP SSID to be able to redirect DHCP requests to a DHCP server?
Joe Quevedo

Sorry, I was out of town the last few days on vacation……..

The answer to your question is Yes, I would like my Corp SSID to redirect DHCP requests to a DHCP Server.
http://www.facebook.com/profile.php?id=100000223809896 Denny Boyle

Thanks for the good content. I’m glad I found yoursite.
I have a several Sonicpoint-G AP’s that provision correctly. They are on ports that are only assigned to their VLAN. I have a Sonicpoint-Ne that is setup the same way that provisions on startup, but continues to go unresponsive at random times. It never stays up for more than an hour or two. I have brought it all the way back to the NSA3500 and given it an interface to itself. It provisions and stays on with no issues. I have attached some images of the layout. I have read several things at this point and I’m pulling the little hair I have out left. Does a Sonicpoint require tagged vlan traffic to pickup its proper provisions and untagged traffic on the management port to run? All of my SP-G’s 9 of them are in ports that only carry their VLAN traffic. The one SP-Ne is also setup this way, but i have hit a mix of information trying to resolve this. Fresh eyes and any help would be appreciated.
http://twitter.com/brandontek Brandon Kim

Hi Denny,

That is a strange issue. Are all the firmware’s updated(SP’s) including the NSA 3500? I have to ask this because as you know, typically SonicWALL support will always want you to be on the latest (general release) when trying to solve a strange issue like this.

The SP’s uses their own protocol that is not routable, hence the need to have them on a VLAN with a direct shot back to the firewall.

Is the SP-Ne getting enough juice from the PoE?
Could the channel the SP-Ne running on be interfering with an existing channel?
http://twitter.com/brandontek Brandon Kim

No worries. I hope to check my SP this weekend to see if there are any DHCP redirect features available.
Daniel Bullard

This posts show something similar to my situation I’m having problems with. I have SonicPoint I need to put in a different building. Only problem is that the building is on a different subnet and connected via a Point-To-Point T1. How would you go about setting that up?
http://www.facebook.com/people/Michael-Gossett/1375497463 Michael Gossett

It actually is possible. And it is the EASIEST thing ever. Example: X5 = configured WLAN and configured in BRIDGED mode to X0. This now bridges your wlan with your lan. Anything you plug into X5 will be part of the LAN. By default only SonicPoints are allowed to send traffic you can disable this in Network->Zones->WLAN->Wireless uncheck “Only allow traffic generated by a sonicpoint”

Done.
http://profile.yahoo.com/FOMGIMD2P6GTTDYMGFS5Y2EXLU impartialdisturber

Hi Brandon,

Thanks for all the info. I have been asked to assist someone with this type of setup. I am working only remotely and they have already cabled the WLANx3 interface to a port on the cisco. So, x0 and x3 both go to ports on the cisco switch. x0 going to a non-trunk default port and x3(wlan) going to a trunk port. Will it work if I just change the sonicwall x3 interface to layer2 bridged mode? The guy I am assisting already setup a vlan as a sub-interface to x3. So, if i put the x3 interface in bridged mode, will it retain the sub interface and behave as though it was simply a sub interface to x0? Will this cause a loop on the network? (with x0 being plugged into cisco1, and x3 being plugged into cisco22) I am inclined to reconfigure everything per your tech note, but I may not have anyone onsite to assist and they are impatient… Thanks in advance.

GD
http://twitter.com/brandontek Brandon Kim

Hi GD,

Working remotely and having an impatient person on the other end is a disaster in the making!!! LOL

I’m not sure what exactly you are trying to accomplish? Can you provide your current IP addressing for X0 and X3? Are you trying to get the WLAN to function on the X0 and be on the same IP addressing scheme as X0? Or are you simply just trying to tag WLAN traffic on X0 so you can share one network link?

If you bridge X3 to X0, then X3 will be the same LAN subnet as X0. If your connection on X3 goes into the Cisco on port 22 it would probably cause a loop since you mentioned that port 22 on the Cisco is a trunk port.

Always try to simplify your set, it helps keep troubleshooting and running into issues down the road to a minimum. Let me know if you have any more information about your setup and we’ll see what options we have….

Thanks!
http://twitter.com/brandontek Brandon Kim

Hi Daniel,

I don’t think that setup can work since the T1, I assume is probably a /30, but in any event, like you mentioned, it’s on a different subnet.

You have to be able to get the Sonicpoint to be speaking on the same VLAN that is on the SonicWALL, no matter where the Sonicpoint is located.

If the switches and trunks can carry that VLAN tag across the pond, you are good to go. But the T1 here is the road block….
Rijeesh Wahid

Hi,

I came across ur blog while searching for a solution on an
issue relating to the Sonipoints, I have 2 sonicpoint. I have a D-link
DGS-1024D a 24 port switch, all my PC’s, printers, both the sonic points and
including a Sonicwall TZ210 is connected in this. I have made one interface X2
of TZ210 to be in Layer2 bridge mode and briged to the LAN interface X0 (this
is connected to Dlink) of TZ210. The moment I connect this X2 interface to the
Dlink switch, the entire switch freezes all the LEDs on the switch keeps
flashing and the network hangs of all the system. The switch and network resume
to normalcy only if I disconnect the X2 interface. Kindly advice what could be
the reason, is it coz of the broadcast by the sonicpoints ?

Thanks

Rij W
http://twitter.com/brandontek Brandon Kim

Hi Rijeesh!

Yes your switch will freeze because you are creating a loop. You’re taking your X0 which is on the LAN and effectively taking X2 (now bridged) which is also on the LAN and putting them both into the switch. This will absolutely take your switch down…..
prestonkeel

Hi Brandon, this may be of use to SonicPoint Users

Using SonicWALL
SonicPoints With Virtual Access Points and Switches

N.B. the use of the Trunk Port throughout this document
refers to the Cisco use (as in a port that the SonicWALLs Interface or another
upstream Switch directly connects to on the Switch) not the HP reference which
means to Aggregate the ports. Also currently SonicPoints will not provision in
any other Zone than a Wireless Zone or over a L3 Network.

Using a separate
layer 2 unmanaged switch or a Managed switch just using the Default VLAN

1.
In this scenario the SonicPoints can be plugged in to any port
on the Switch and will work with all VAPs

2.
For instance you would use the Primary X3
Interface in the WLAN Zone as one Wireless Network and create one Sub Interface
on the SonicWALLs X3 interface V100 and put
it in separate Wireless Zones(for example one called Guest Wireless do not enable interface trust on this Zone).
The SonicWALL should automatically assign DHCP ranges for each Interface, make
sure that DHCP is enabled for these, on the Corp DHCP range you may want to
edit and add your own internal DNS settings unless using the L2 Bridge method
below and the internal LAN DHCP is been provided by your DHCP Server, in this
case you would only enable the DHCP for the Sub Interface.

3.
For traffic to from the Corp Wireless to access
the LAN you will need to manually change the Corp Wireless to LAN firewall
rules to allow access, you may also need to tick the “Enable local wireless zone traffic to bypass gateway firewalling” in
the Diag.html page, another method is to L2 Bridge the X3 Interface to the X0
interface, this would then make the X3 Subnet on the same Subnet as X0.
4.
Create your Virtual Access Point Profiles (for
example one Open for Guest Wireless and WPA2 for the Corp Wireless), in the Policies
add the No VLAN to a Corp Policy and V100 to a Guest Policy and group then
assign them under the SonicPoint Page by selecting on the Default profile and
selecting the Group.

5.
Plug the SonicPoints in to the Ports on the switch and you should then see
under the SonicPoint Page on the SonicWALL them being Provisioned this may take
a couple of minutes if it is the first time they have been plugged in as they
will need to download the firmware first.

Using a Managed
Switch separated by VLANs using a spare Interface on the SonicWALL

1.
In this Scenario the SonicPoints need to be
segregated on the switch away from the other VLANs and use a separate Trunk
Port on the switch to which the SonicWALL X0 or any other VLANs may be using.

2.
For instance you would create three sub
interfaces on the SonicWALLs X3 interface V100, V200 & V300 and make them
all in ideally in separate Wireless Zones(for example one called Guest Wireless
do not enable interface trust on this
Zone , one Called Corp Wireless and use the Default WLAN Zone for the
SonicPoint Provisioning). We will use V100 for the SonicPoint Provisioning, the
SonicWALL should automatically assign DHCP ranges for each Sub Interface make
sure that DHCP is enabled for these, on the Corp V200 DHCP range you may want
to edit and add your own internal DNS settings. For traffic to from the Corp
VLAN to the LAN you will need to manually change the Corp Wireless to LAN
firewall rules to allow access.

3.
Create your Virtual Access Point Profiles (for
example one open for Guest Wireless and WPA2 for the Corp Wireless), in the Policies
add the V200 to a Corp Policy and V300 to a Guest Policy and group then assign
them under the SonicPoint Page by selecting on the Default profile and
selecting the Group.

4.
On the Switch create the Trunk Port by selecting
an unused port (P10 for example) and Tag V100, V200 & V300 to P10 and
connect the SonicWALL X3. On the Ports the SonicPoints will be connected (P15,
P16, P17 in this example) to again Tag V200 & V300 but leave V100 untagged
and if an option make V100 the PVID on these Ports.

5.
Plug the SonicPoints in to the Ports and you should then see under the
SonicPoint Page on the SonicWALL them being Provisioned this may take a couple
of minutes if it is the first time they have been plugged in as they will need
to download the firmware first.

6.
For additional Switches you will need to Tag the
outgoing Ports for V200 & V300 V100 can be left untagged on Switch 1. The Trunk
Port on Switch 2 from the upstream switch would be as you did with P10 on
Switch 1.

Using a Managed
Switch separated by VLANs using the X0(LAN) Interface on the SonicWALL to the Switch’s
main Trunk port

1.
This scenario would be used for example you have
two buildings connected using the same cable and it is not a feasible option to
run another cable across.

2.
Use the same method as the previous but add the
Sub Interfaces to X0 instead of X3 on the SonicWALL
http://www.facebook.com/jesse.newman.3 Jesse Newman

I have a tz 210 that is connected directly to a cisco switch, the switch is connected to the comcast modem. I have a couple of servers that are connected to the switch but only the wired computers can see the server files. Wireless can ping but not access the servers… any ideas?
http://www.facebook.com/profile.php?id=1296125818 Nick Spender

Hello I have successfully set up the above using a sonicwall TZ210 and a HP pro curve switch. The problem I am facing is that the I have a HA link to another TZ210 and this firewall sees the sonicpoint as intialing…Any help would be great
Jimmy Abdouramane

Hi Paul,

Did you ever get the scenario above working??? I am trying to do the exact same thing but with a Netgear switch. I think the terminology and strange ways of doing VLAN/Trunking are the same in HP and Netgear.
Michael VanSickle

Hi! Thanks for a great article! One question though, can this be made to work with multiple SSIDs? I tried changing the access port to a general port (so it would carry multiple VLANs), and it wouldn’t work. Change it back to access, and it only carries the traffic of one VLAN.
Travis Reed

You can carry multiple SSIDs on one sonicpoint by tagging both VLANs, however, you will not have management capabilities. Access will work perfectly fine on both networks, but when you go to your sonicwall to check settings, it will not show any SonicPoints connected. If you need to make adjustments to the Sonicpoints, you have to untag one of the VLANs, make the adjustments, then retag it when you are done.
bygrob

Hi,

Today is not a good day for me. Your article is great! What confuses me now is that I have about 22 customer locations where they have two buildings.

* Sinlge Firewall TZ 210 [Lattest Firmware]
* XO (192.168.199.1) goes to first switch number 1 or what many would call the ‘main switch’ [Dell 2800].
* X3 (192.168.200.1) [WLAN ZONE] – CAT5 run about 85 feet to switch number 2 [Dell 2800] in building next door.

I have one or two SonicPOINT NDR’s connected to switch 2 in next door building [Dell 2800]. The SonicPOINTS come right up with no issues on the SonicWALL. I am able to configure them with no problems. That said, I could have a major problem too. Something that would normally be a problem with larger networks and not so much with smaller ones like what I have described above.

Other devices are also connected to both switches. Why does it work for me? Your article states that this configuration does not work.

Please help me understand so that I can modify my smaller sites. Your help is greatly appreciated.

Rob
http://twitter.com/brandontek Brandon Kim

Hi Rob!

Thanks for your post and pictures. The reason why your setup works is because your switch is basically acting as an extension to your WLAN zone.
The “current” issues with SonicPoint’s is that their SDP protocol is not routable.

But stay tuned, apparently this is going to be fixed very very soon!
John Austin

Hi

I setup my Sonicwall a different way i took 3 ports on my switch and put them in Vlan 20.
I also have Vlan 20 on another swicth in another office across fiber
This has been working for 2 years now i’m starting to get issues

I have X2 going into switch 1 with 3 ports and 2 sonicpoints in vlan20 and switch 2 has 1 port in vlan 20 for the sonicpoint.
Adam Moran

We have had a SonicWALL for some time now and we are just getting our first SonicPoint device. Basically, we cannot connect to any network made by the sonicpoint device. We have a few tricky things going on with the sonicwall and I was hoping youcould help. Here’s the situation:

1 Sonicpoint Ne device configured for 2 SSIDs (one with RADIUS authentication WPA2-EAP and the other with no authentication). Due to our sonicwall being much further away then the rest of our LAN computers, I needed a way to get the sonicpoint in range. Thus, I have a VLAN configured as a sub-interface whose parent is the LAN interface. In order to plug the sonicpoint into a port in one of the offices connected to the LAN, I used trunking on our 2 switches to trunk the VLAN from the sonicwall to the port that the sonicpoint is on. All appeared well because it started provisioning the sonicpoint and it always updates is settings/software correctly. Our LAN has ip addresses 10.5.6.x and the VLAN with Wireless has 10.5.7.x. I have enabled interface trust and I have checked the allow wireless traffic to bypass firewall rules (in the diag.html page). However, after all this, no laptop can connect to the two SSIDs I put out on the sonicpoint (internal and guest). Either SSID i try to join, it takes a considerable amount of time and then says limited connectivity, however, it never gets an IP address. I went back into the sonicwall to see if under sonicpoint it had registered the laptop with “limited connectivity”. I did see an entry, however, it also lacked an ip address. according to the mac address, it was the right pc though.

So, are there any suggestions to get the sonicpoint to hand out an ip address, allow internet connectivty, and ultimately allow radius authentication on the internal SSID?

Thanks,
Adam
http://twitter.com/brandontek Brandon Kim

Hi Adam,

Seems like you have quite an interesting situation. Have you updated both the firewall and sonicpoint to make sure you are running the latest?

I have personally not run into any faulty Sonicpoints but that is something to consider, which only SonicWALL support can assist you with replacing, if you have another spare SonicPoint, see if that fares any better.

I would also take the SonicPoint and connect to the firewall directly to rule out any other cabling or equipment getting in the way. If you get perfect connectivity with the SP being directly connected, now you know it’s not the firewall or SP but maybe some odd cabling or switch configuration.

When things don’t work for me, I always try to get as simple and basic as possible, then slowly “move up the chain” to find out where the culprit is…

Hope this helps!
http://twitter.com/brandontek Brandon Kim

Hi John,

As you’ve alluded to earlier, your configuration has been working for years. I don’t see any issues myself with your setup. If you’re starting to have issues now, it could be SP’s starting to fail or possibly other companies in your area using the same wireless channel that could be interfering.

There’s just so many possibilities for what could be causing you to experience your current issue now, but without really getting more details on what your “issues” are, I can only throw some general tips out there for you to try out…

Thanks!

.DJI	15,294.50	-12.67	(-0.08%)
CSCO	23.51	+0.17	(0.73%)
AAPL	442.14	+0.79	(0.18%)
GOOG	882.79	-6.63	(-0.75%)
IBM	206.16	-0.83	(-0.40%)
MSFT	34.15	-0.46	(-1.33%)

Life is short. Play with Cisco.

Search

Solution to your SonicPoint WLAN woes.

The Problem

The Solution

Market Watch

Categories

Pages