SonicWall blocks valid WAN IPs as "IP spoof"

sfschool
sfschool used Ask the Experts™
on
Our SonicWall TZ190 blocks some important and legitimate WAN-to-LAN traffic just because the incoming IP sources are similar to our OPTional WAN IP (which is a dynamic IP, not a static one) . For example, outside WAN 74.130.X.Y is blocked as an "IP Spoof" because our OPTional WAN IP is 74.130.Y.X.  (I'm not a network expert, so please forgive my simple explanation.)

Unfortunately, the TZ190 doesn't provide an easy or obvious way to solve this problem, at least not for me.

Does anyone know of a solution? Could I configure rules that would work around the false positives in spoof-detection? Could I connect the OPTional WAN modem to another router and then to the SonicWall? If so, how so? Can incoming traffic be forced through our Primary Wan (which IS a static IP and works fine)?

Any suggestions would be greatly appreciated; I'm on the hook for this at a new place of employment.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Are you suing the correct mask on the outside WAN, if they are in different networks with the appropraite net masks this should not be a problem.

harbor235 ;}

Author

Commented:
Yes. In fact, this OPTional WAN connection (from a cable ISP) requires a DHCP IP assignment on the router/firewall, so it sets its own subnet mask. You're right; this shouldn't cause the problem -- but this is a known SoncWall issue. I had the problem at another employer, with a TZ170 there, and I've read of other users having the problem (check http://www.sonicusers.com/forums/t/520.aspx for just one example) but I've never read a solution that would work for me. Is it possible for me to connect my cable modem to another device (router? switch?) and then connect it to the OPT WAN port of the SonicWall in some sort of configuration that the SonicWall can understand and still use for load balancing/failover?

Are you using the most recent version of code?

harbor235 ;}
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Author

Commented:
Yes.
I guess the only thing to do is turn off ip spoofing protection which is not a good thing

what is the vendor responce?


harbor235 ;"

Author

Commented:
Turning off the IP spoofing protection was worse than I expecte. Tthis morning I went to the diag.html page and un-checked the "IP spoof checking" option -- and after that, I could get NO Internet access at all. I tried re-checking that option, but still nothing. I now have the TZ190 off-line and I've reset the firmware to default settings and then restore backup settings from a few days ago. I'm stumped, but I'm still exploring possibilities. Thanks!

Author

Commented:
Forgot to say that I'm waiting to hear from vendor support. We'll see.
Top Expert 2007
Commented:
I think this is an expected behaviour; if the device [in L3 mode] receives a packet on the internet facing interface with source IP as one of the IP addresses which it knows exists on any other internal interface; the device would cry foul; this is exactly what the device is doing. If the device is in L2 mode [or transparent mode as many vendors call it] then I do not this would happen.

Any specific reason why you are using public IP address behind the firewall; have you considered using private IP addresses instead.

Thank you.

Author

Commented:
Help me through this, if you will. Here is our setup:

1. On our internal network we have three Web sites for public viewing plus a mail server that includes Web access for employees.  All the sites and the mail server have private IPs on our network.

2. We have two incoming Internet connections: DSL and cable. The DSL provides us with 5 static public IPs; the cable requires DHCP and provides a "persistent" IP but not a static one. The IP periodically might change, as will the subnet mask, and the SonicWall adjusts for this. We use the DSL line as the Primary WAN, and the cable is our Optional WAN.

3. Using the public IPs allowed us by our DSL provider, and the Custom DNS Zone Management interface of our Domain registrar, we have assigned IPs and names to our three Web sites, plus the MX records.

4. When outside visitors browse to the Web sites, our SonicWall TZ190 accepts the connections and translates the public IPs to our internal IPs and sends the visitors to the correct Web server or the mail server.

That works fine for everyone except people whose home ISP is the same as our cable provider and who live fairly close to our operation. Our SonicWall sees these people's IPs as trying to spoof into our network.

How should I set up our operation to avoid this?

A thousand thanks....

What are the masks for the outside and inside, i know you told me they are ok but I want to double check

harbor235 ;}

Author

Commented:
Thanks. Is this what you want:

LAN: 255.255.255.0
OPT WAN (the problem one): 255.255.240.0
Primary WAN: 255.255.255.248

hmmm, the primary is a /29 and the OPT WAN is a /20. There is potential for ovelapp
in the third octet.  Do you have a thorough understanding of subnetting?

Just trying to make sure there is no overlapp


harbor235 ;}

 

Author

Commented:
I have absolutely no understanding of subnetting. Sigh.
Top Expert 2007
Commented:
Can you check with your ISP, when they lease IP addresses, rather than having /20, can they instead give you /30 as the mask; this mean only one more IP address can co-exist in this subnet mask; this would shorten the number of people who get affected and also the firewall would not have any problem accepting connections from users on the same ISP.

These days if you have PPPoE, usually people get /32 as the mask; where their IP is also their gateway [something like remote IP for VPN]; there are no chances for overlap in this case.

I think ISP should be able to help.

Please check.

Thank you.

Author

Commented:
I can check with the ISP, but I'm not hopeful. They have to provide us with Internet service for free (because we're a school, and the ISP's contract with the city requires free access for school). But they don't have to provide much service or accommodation, so they don't. I'll try. I guess I can also try releasing and refreshing the IP lease to see if, by chance, a better subnet mask gets assigned randomly. But... isn't there a workaround to this? Can anything go between the OPT connection and the firewall to change what the firewall sees?


With the new versions of code available SonicWall should have IP spoofing resolved. It is a pretty simple thing to correct.

Do you feel comfortable giving you IPs out? Or you could send me an email directly and I will check your addressing.

harbor235@gmail.com

harbor235 ;}

Author

Commented:
Thanks, harbor235 and dpk_wal, for your time and attention. I'm about to close this issue, but I do have one last question in case anyone has comments on it. I read today on another forum (http://www.sonicusers.com/forums/p/309/780.aspx#780 )about this same kind of problem, and one writer suggested a workaround to someone else. Here is what he suggested:

"...find yourself a low end crappy ethernet/ethernet router. Like a USR, Linksys or something. Put in a forwarding rule that forwards all traffic to the Sonicwalls secondary WAN. Put it in between the cable network and your secondary WAN. Do double NAT so that the secondary WAN port thinks it is on 192.168.2.1 or something.   Say you have Comcast. Your comcast IP on the WAN port of the cheap router; 192.168.2.254 on the internal LAN port of the cheap router connecting to 192.168.2.1 on the secondary WAN  port of your Sonicwall."

My question now: Is this an idea that is worth trying?

Thanks again to all.
Top Expert 2007
Commented:
That is an fair solution because of doing double NAT; the problems associated might be visible as you have servers on the optional which needs access from the internet; the problem is/are you need to first forward packets on linksys from the public IP to the optional port IP of sonicwall and then from there to the individual server IP addresses.
Sometimes this double NAT creates problem [not always].

I would say go ahead, give this a try; if things work then great.

I frankly do not think that any newer code would have a fix for this problem ; because this is not a problem but a bad implementation.

Thank you! :)

Author

Commented:
I accepted harbor235's offer to evaluate all my IPs, but I chose to do it privately; as a result, his analysis doesn't show up here. However, his conclusion matched that of dpk_wal -- that the firewall was doing as it should, so I should ask the ISP for a more suitable (or static, if possible) IP.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial