New Year, New Setup

January 4, 2020

Happy New Year!

Since our last post I’ve struggled with some issues that I documented in a rather large OneNote document. Internet-based traffic seemed to be okay, but the USB extension started showing issues with the SonicWall after I pumped a lot of data through it, so I reloaded OpenWrt on the APU2 and managed to get the tunnel established this time and traffic was passing between the firewalls, but the LAN connection stopped working. I was starting to get frustrated with it, so I loaded up a pfSense 2.5 snapshot and if_urndis.ko from FreeBSD 12. No luck, so I loaded up a FreeBSD 12.1 VM thinking I could do vanilla FreeBSD instead but it didn’t work either. Darn.

Not one to be defeated so easily by technology, I gave OpenWrt one final go before going back to the SonicWall, this time with my local LibreNMS install set up to alert when the device dropped. I had no disconnects until my connection at home went down for a few minutes. I removed the SonicWall from the local install and spun a second LibreNMS install up in the datacenter as that’s the VPN endpoint. I had some issues with the SonicWall dropping, even giving the M1 Nighthawk a try instead, which was a little more stable, but I was only doing Internet traffic on this, so I felt stuck. I went for OpenWrt one final time and it was just not working for me. I opted to connect the modem directly to the SonicWall and it kept having random disconnections that would clear up after I reset the tunnel on the datacenter firewall. What was the problem?

I did some looking around during downtime at work and found the issue: SonicWall firewalls don’t support multiple subnets on single IPsec Phase 2 entries. I flipped on the “Split Connections” option on this particular VPN entry and things got a lot more stable, but I was still experiencing issues. When the tunnel dropped yesterday morning, I decided that I’d just rebuild the tunnel entirely once I got to the office. There wasn’t a single disconnection after the tunnel was rebuilt, and when the P1 rekeyed after 8 hours the P2s stayed up and things seemed good.

I’ve got a work trip starting tomorrow through Wednesday, so this is definitely turning into testing in production! I have a contingency in plan, however: disable the tunnel and set DHCP back up on the firewall with OpenDNS for DNS servers. Hopefully this won’t be needed. Everything is packed up in the Pelican Case and the USB800 is in my work laptop backpack now, so it’ll be showtime in under 24 hours.

I’ll report on how well it worked once I return from the trip Wednesday afternoon.

Leave a Reply