Moving from VPN to SD-WAN



  • Looking for some advice. We have a client who currently has several sites that each connect back to the main office via VPNs in their Sonicwall units. Over the last (many) months a new vendor was chosen to move them to an SD-WAN solution using a VeloCloud. They've built out fiber with broadband backup at each location. Since we've never done this type of setup one of the requirements was that their engineers help with the implementations. Now that we're at the point to bring it online they are essentially refusing to help so we're left figuring out on our own. A new location is opening tomorrow and we are putting in a pfSense unit instead of a Sonicwall. How do I configure it?

    With a VPN it's easy. Once the tunnel is established the routing table is done and the most we need to do is configure firewall rules. Very simple. With the SD-WAN I just don't know. They say I need to turn off NAT so that all traffic is local and visible. I've never done that before but I'm pretty sure I know how to do it. The second thing is how is the routing handled? The local networks are 192.168.x.x while the intermediary Velo network is in the 10.x.x.x network so the LAN is 192.168.x.x and the WAN is 10.x.x.x. I'm assuming I need to set some routing up. With a default route of 0.0.0.0 to the WAN, all unknown traffic will be sent out so I can see the VeloCloud picking it up and sending it on. Not sure how data makes it back in, though. If a packet destined for an IP in the LAN subnet hit's the WAN, how does it know to send it on to the LAN. Something would need to be done in the firewall to allow it through.

    As you can see, I'm not really sure what I'm stepping into. A little advice would go a long way. Thanks!



  • @Stewart Sdwan or not, still routing needs to happen.
    Perhaps the core you will be connecting will do smart things, instead of traditional fully meshed or hub and spoke.
    And you also have at least three physical interface to interconnect
    Lan, fiber and broadband backup at the new site.
    You need more specific network configuration.
    After connectivity is established, you also need information about security and firewalling. There must be a master design somewhere.



  • @netblues I sincerely hope there is a master design somewhere. The 2 ISP connections go into the VeloBox and the VelBox connects into the WAN of the pfSense router. They tell me that I just need to pass ALL traffic to their VeloBox and they do the intelligent routing. I just need to accept the private traffic back as private and route it accordingly. When they send traffic back destined for my LAN 192.168.x.x network, it's gonna hit my WAN port. I'm assuming I need static routes but I'm not sure how it will process. The site is 2.5 hours away and I'm about to leave for it. I'm only getting 1 shot at this so I'll take as much advice as I can get.



  • @Stewart Well, if that is the case, why you need the pfsense in the first place.
    If you have a box that does sdwam then it should also handle any local nat needs
    You could leave pf just doing routing, but I don't see any reason for that.



  • @netblues

    The routers will still act as the firewalls at the sites. I figured it out, for better or worse. The other end has a Sonicwall where we were unable to disable NAT (limitation on the device) so we wound up creating a VPN tunnel across the Velo cloud. On pfSense, all I had to do was disable NAT and create some firewall rules. My main concern was that private IPs aren't publicly routable so in my head I didn't understand how traffic would make it back on the WAN port. I didn't understand how it would route since it was private IPs because to me, WAN=Public. I realize that isn't the case so seeing it actually work and traffic flow helped to increase my understanding of how the packets were going to route. Really hit a wall when we couldn't disable the NAT on the SonicWall, though. The unit is too old to support it but it's still current on security definitions. We're going to replace all the units with pfSense as soon as the client approves it.



  • Sorry, but I don't get it An sd wan, a cloud in the middle and suddenly a vpn tunnel across the cloud???
    It might work, but it doesn't feel right as a concept.
    If you need firewalling, why the sdwan is not doing it?

    It seems you have an authority issue to solve, not a technical one.


Log in to reply