Link to home
Start Free TrialLog in
Avatar of sfschool
sfschool

asked on

SonicWall blocks valid WAN IPs as "IP spoof"

Our SonicWall TZ190 blocks some important and legitimate WAN-to-LAN traffic just because the incoming IP sources are similar to our OPTional WAN IP (which is a dynamic IP, not a static one) . For example, outside WAN 74.130.X.Y is blocked as an "IP Spoof" because our OPTional WAN IP is 74.130.Y.X.  (I'm not a network expert, so please forgive my simple explanation.)

Unfortunately, the TZ190 doesn't provide an easy or obvious way to solve this problem, at least not for me.

Does anyone know of a solution? Could I configure rules that would work around the false positives in spoof-detection? Could I connect the OPTional WAN modem to another router and then to the SonicWall? If so, how so? Can incoming traffic be forced through our Primary Wan (which IS a static IP and works fine)?

Any suggestions would be greatly appreciated; I'm on the hook for this at a new place of employment.
Avatar of harbor235
harbor235
Flag of United States of America image

Are you suing the correct mask on the outside WAN, if they are in different networks with the appropraite net masks this should not be a problem.

harbor235 ;}
Avatar of sfschool
sfschool

ASKER

Yes. In fact, this OPTional WAN connection (from a cable ISP) requires a DHCP IP assignment on the router/firewall, so it sets its own subnet mask. You're right; this shouldn't cause the problem -- but this is a known SoncWall issue. I had the problem at another employer, with a TZ170 there, and I've read of other users having the problem (check http://www.sonicusers.com/forums/t/520.aspx for just one example) but I've never read a solution that would work for me. Is it possible for me to connect my cable modem to another device (router? switch?) and then connect it to the OPT WAN port of the SonicWall in some sort of configuration that the SonicWall can understand and still use for load balancing/failover?

Are you using the most recent version of code?

harbor235 ;}
Yes.
I guess the only thing to do is turn off ip spoofing protection which is not a good thing

what is the vendor responce?


harbor235 ;"
Turning off the IP spoofing protection was worse than I expecte. Tthis morning I went to the diag.html page and un-checked the "IP spoof checking" option -- and after that, I could get NO Internet access at all. I tried re-checking that option, but still nothing. I now have the TZ190 off-line and I've reset the firmware to default settings and then restore backup settings from a few days ago. I'm stumped, but I'm still exploring possibilities. Thanks!
Forgot to say that I'm waiting to hear from vendor support. We'll see.
SOLUTION
Avatar of dpk_wal
dpk_wal
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Help me through this, if you will. Here is our setup:

1. On our internal network we have three Web sites for public viewing plus a mail server that includes Web access for employees.  All the sites and the mail server have private IPs on our network.

2. We have two incoming Internet connections: DSL and cable. The DSL provides us with 5 static public IPs; the cable requires DHCP and provides a "persistent" IP but not a static one. The IP periodically might change, as will the subnet mask, and the SonicWall adjusts for this. We use the DSL line as the Primary WAN, and the cable is our Optional WAN.

3. Using the public IPs allowed us by our DSL provider, and the Custom DNS Zone Management interface of our Domain registrar, we have assigned IPs and names to our three Web sites, plus the MX records.

4. When outside visitors browse to the Web sites, our SonicWall TZ190 accepts the connections and translates the public IPs to our internal IPs and sends the visitors to the correct Web server or the mail server.

That works fine for everyone except people whose home ISP is the same as our cable provider and who live fairly close to our operation. Our SonicWall sees these people's IPs as trying to spoof into our network.

How should I set up our operation to avoid this?

A thousand thanks....
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks. Is this what you want:

LAN: 255.255.255.0
OPT WAN (the problem one): 255.255.240.0
Primary WAN: 255.255.255.248
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I have absolutely no understanding of subnetting. Sigh.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I can check with the ISP, but I'm not hopeful. They have to provide us with Internet service for free (because we're a school, and the ISP's contract with the city requires free access for school). But they don't have to provide much service or accommodation, so they don't. I'll try. I guess I can also try releasing and refreshing the IP lease to see if, by chance, a better subnet mask gets assigned randomly. But... isn't there a workaround to this? Can anything go between the OPT connection and the firewall to change what the firewall sees?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks, harbor235 and dpk_wal, for your time and attention. I'm about to close this issue, but I do have one last question in case anyone has comments on it. I read today on another forum (http://www.sonicusers.com/forums/p/309/780.aspx#780 )about this same kind of problem, and one writer suggested a workaround to someone else. Here is what he suggested:

"...find yourself a low end crappy ethernet/ethernet router. Like a USR, Linksys or something. Put in a forwarding rule that forwards all traffic to the Sonicwalls secondary WAN. Put it in between the cable network and your secondary WAN. Do double NAT so that the secondary WAN port thinks it is on 192.168.2.1 or something.   Say you have Comcast. Your comcast IP on the WAN port of the cheap router; 192.168.2.254 on the internal LAN port of the cheap router connecting to 192.168.2.1 on the secondary WAN  port of your Sonicwall."

My question now: Is this an idea that is worth trying?

Thanks again to all.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I accepted harbor235's offer to evaluate all my IPs, but I chose to do it privately; as a result, his analysis doesn't show up here. However, his conclusion matched that of dpk_wal -- that the firewall was doing as it should, so I should ask the ISP for a more suitable (or static, if possible) IP.