Advanced concepts related to securing service tunnels with SonicWall CSE
Description
Interfaces and IP Address Management #
When SonicWall Cloud Secure Edge (CSE) Service Tunnel is enabled, a dedicated private network is created for your organization. A new network interface is created on every device (that could be running either CSE Client Components or CSE Server Components) to enable network connectivity - this network interface is assigned an IP address from a pool of Tunnel CIDR ranges.
IP addresses are assigned to a device from 4 ranges:
| # | Range Name | CSE Component | Network Interface | Purpose |
|---|---|---|---|---|
| 1 | access_tier_satellite | Access Tier | wg1 | Connector-Access Tier tunnels |
| 2 | satellite | Connector | wg0 | Connector-Access Tier tunnels |
| 3 | access_tier_enduser_device | Access Tier | wg0 | EndUser-Access Tier tunnels |
| 4 | enduser_device | App | Windows - wg0, Linux - wg0, MacOS - utun11 | EndUser-Access Tier tunnels |
Tunnel CIDR Ranges #
By default, CSE assigns IP address from CIDR ranges in the CG-NAT address space, so they will not interfere with other address spaces that could be available in a customer environment. To see the CIDR ranges used by CSE, navigate to Settings > Network Settings > Service Tunnel. You will see the four CIDR ranges on this page, as follows:
| # | Range Name | CIDR Range | IPs | Total Addresses |
|---|---|---|---|---|
| 1 | access_tier_satellite | 100.120.0.0/16 | 100.120.0.0 - 100.120.255.255 | 65,536 |
| 2 | satellite | 100.100.0.0/16 | 100.100.0.0 - 100.100.255.255 | 65,536 |
| 3 | access_tier_enduser_device | 100.110.0.0/16 | 100.110.0.0 - 100.110.255.255 | 65,536 |
| 4 | enduser_device | 100.64.0.0/11 | 100.64.0.0 - 100.95.255.255 | 2,097,152 |
If your organization requires changes to these CIDR ranges, please contact support.
Network Address Translation (NAT) #
CSE uses Source Network Address Translation (SNAT) so the source IP address of traffic egressing a CSE Server Component (Access Tier or Connector) will the host’s IP address. In some scenarios you may want the source IP address of the traffic to be the actual client’s IP address instead of the NAT-ed address.
CSE provides the ability to disable SNAT for your environment. If you disable SNAT, you need to ensure that your private network is configured to route traffic correctly back to the client.
If your organization needs to disable SNAT, please contact support.
Reverse DNS Lookups and Voice-over-IP (VoIP) Protocol Support #
Reverse DNS is a special type of DNS lookup, where an IP address is resolved to a domain name using PTR records. To enable Reverse DNS lookups over a Service Tunnel, specify in-addr.arpa as a Private Domain when you define your private network. See the article on DNS resolution & traffic steering for a general description of how DNS lookups work over a Service Tunnel.
Reverse DNS is sometimes used by VoIP clients to dial specific categories of phone numbers. If you’re troubleshooting VoIP scenarios where a VoIP client is unable to make a phone call, be sure to enable Reverse DNS.
