Notes on Service Tunnels

Advanced concepts including Operational CIDR ranges, and more

  • Updated on May 31, 2024
  • 5 minutes to read
  • Contributors

This article details a few advanced concepts related to securing service tunnels.

Interfaces and IP Address Management

When SonicWall Cloud Secure Edge (CSE) Service Tunnel is enabled, a dedicated private network is created for your organization. A new network interface is created on every device (that could be running either CSE Client Components or CSE Server Components) to enable network connectivity - this network interface is assigned an IP address from a pool of Tunnel CIDR ranges.

IP addresses are assigned to a device from 4 ranges:

# Range Name CSE Component Network Interface Purpose
1 access_tier_satellite Access Tier wg1 Connector-Access Tier tunnels
2 satellite Connector wg0 Connector-Access Tier tunnels
         
3 access_tier_enduser_device Access Tier wg0 EndUser-Access Tier tunnels
4 enduser_device App Windows - wg0, Linux - wg0, MacOS - utun11 EndUser-Access Tier tunnels

Tunnel CIDR Ranges

By default, CSE assigns IP address from CIDR ranges in the CG-NAT address space, so they will not interfere with other address spaces that could be available in a customer environment. To see the CIDR ranges used by CSE, navigate to Settings > Network Settings > Service Tunnel. You will see the four CIDR ranges on this page, as follows:

# Range Name CIDR Range IPs Total Addresses
1 access_tier_satellite 100.120.0.0/16 100.120.0.0 - 100.120.255.255 65,536
2 satellite 100.100.0.0/16 100.100.0.0 - 100.100.255.255 65,536
         
3 access_tier_enduser_device 100.110.0.0/16 100.110.0.0 - 100.110.255.255 65,536
4 enduser_device 100.64.0.0/11 100.64.0.0 - 100.95.255.255 2,097,152

If your organization requires changes to these CIDR ranges, please contact support.

Network Address Translation (NAT)

CSE uses Source Network Address Translation (SNAT) so the source IP address of traffic egressing a CSE Server Component (Access Tier or Connector) will the host’s IP address. In some scenarios you may want the source IP address of the traffic to be the actual client’s IP address instead of the NAT-ed address.

CSE provides the ability to disable SNAT for your environment. If you disable SNAT, you need to ensure that your private network is configured to route traffic correctly back to the client.

If your organization needs to disable SNAT, please contact support.

Reverse DNS Lookups and Voice-over-IP (VoIP) Protocol Support

Reverse DNS is a special type of DNS lookup, where an IP address is resolved to a domain name using PTR records. To enable Reverse DNS lookups over a Service Tunnel, specify in-addr.arpa as a Private Domain when you define your private network. See the article on DNS resolution & traffic steering for a general description of how DNS lookups work over a Service Tunnel.

Reverse DNS is sometimes used by VoIP clients to dial specific categories of phone numbers. If you’re troubleshooting VoIP scenarios where a VoIP client is unable to make a phone call, be sure to enable Reverse DNS.