Sonicwall WLAN to LAN Access

I am in the process of creating wireless access at our facility with a sonicwall pro3060 and several sonicpointN's using VAP.  I have configured a wlan zone for office users and a vlan on the wlan interface for guest access.  Both of these zones are on seperate ip shemes, and neither one of them shares the scheme of our lan.  The problem is I am trying to add access for the wlan to our lan because access to network shares as well as internal browser based applications.  i have allowed all the appropriate access rules, but still no luck translating/allowing  the wlan traffic to our lan.  Both zone do have access to the internet though....
patrickhchAsked:
Who is Participating?
 
digitapCommented:
I've been looking over the packet capture and I'm seeing traffic forwarded from x2 to x5 which tells me that traffic is getting routed properly.  What I'm not seeing is traffic coming from x5 to x2.  I'm not even seeing it dropped.  I'm not seeing it period.  If I were you, I'd update the ROM version first.  Make sure you get backups first...>GRIN<

If the update doesn't change anything, see if you can configure the settings to remove transparent mode.

If all that's a no go, then we'll look at things then.
0
 
digitapCommented:
I'd have to see your firewall settings.  If you create a TSR and only post the firewall settings that are pertinent to the WLAN > LAN and LAN > WLAN settings, that should be enough to assist.
0
 
patrickhchAuthor Commented:
Please forgive my ingnorance, but I am unsure what a TSR is or how to post the firewall settings to it
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
patrickhchAuthor Commented:
sory for the mind blip....here is the attached is the report.  Let me know if you need  more info
tsr.txt
0
 
digitapCommented:
From your rules, I see that from WLAN > LAN you are allowing Any.  From WLAN to WLAN, you are allowing Ping, the management interfrace and Any.  However, I don't see LAN > WLAN.
0
 
patrickhchAuthor Commented:
sorry here is the rest
tsr1.txt
0
 
digitapCommented:
you're right, the rules look like all is allowed WLAN > LAN and LAN > WLAN.  Have you run the packet monitor to see what happens to your traffic.  It's under System > Packet Monitor.  Also, post your routing policies for WLAN and LAN.
0
 
patrickhchAuthor Commented:
here is the routing table... thanks for the packet info i will look at it...
routing.txt
0
 
patrickhchAuthor Commented:
here is the packet capture...
the machine on the wlan is 10.10.12.202
I am trying to access ip 10.10.10.186 on the lan....


Original version of attachment replaced with sanitized version per http://www.experts-exchange.com/Community_Support/General/Q_26100468.html?cid=1572#a32317758 LadyModiva 042910

Open in new window

packetcap.txt
0
 
digitapCommented:
um, you're going to want to get a mod to delete the entry or attachment at http:#a32317758 as the attachment you posted was the entire TSR and not the packet capture.  Or, get them to replace the attachment with the packet capture.
0
 
digitapCommented:
Also, I noticed you are on ROM version 3.1.0.2.  Sonicwall has recommended upgrading to ROM version 4.2.1.0_ROM-12e before upgrading to the version of firmware you are currently on.
0
 
patrickhchAuthor Commented:
wow that was a bad mistake... busy and wasn't paying attention... I requested attention, thanks for the heads up.

Attached is the entire packet capture....
When I filter the packet capture by the source ip this is what I get even if i am trying to access the 10.10.10.186 ip :

Ethernet Header
 Ether Type: IP(0x800), Src=[00:24:d6:7a:0a:b6], Dst=[ff:ff:ff:ff:ff:ff]
IP Packet Header
 IP Type: UDP(0x11), Src=[10.10.12.202], Dst=[10.10.12.255]
UDP Packet Header
 Src=[137], Dst=[137], Checksum=0xf6be, Message Length=58 bytes
Application Header
 NETBIOS Ns:
Value:[1]
DROPPED, Drop Code: 47, Module Id: 27, (Ref.Id: _2767_jcpfngDtqcfecuvRcemgv)


packetcapture.txt
0
 
patrickhchAuthor Commented:
thanks for the rom update info i will check into it.  As you can tell firewall management is not my strong point...thanks for the help.  I have tried sonicwall tech support, but haven't gotten a response.
0
 
digitapCommented:
yeah...you have to call to get decent help.  i'm looking over the packet capture stuff...i'll report back with some questions.  getting to supper time and getting my son to bed so there may be a delay.
0
 
digitapCommented:
it looks like one of your interfaces x5, is running in transparent mode...did you intend that?
0
 
patrickhchAuthor Commented:
Yeah that is the way it was setup ( before I was here).  The The sonicwall was added to the existing network so they installed it that way(before I worked here) since the gateway internal address is on the same 10.10.10.xxx scheme. X5 is the LAN interface that I am trying to communicate to. Nothing is plugged in the default lan x0 interface. I have been wondering if that is making things more difficult.
0
 
digitapCommented:
i think this might actually be a routing issue and not a firewall issue.  Open your packet capture you posted and search for *Packet number: 4987*  Notice that it goes in x2 and out x5.  That doesn't seem right.  This is what I'm seeing:

in:X2*(interface), out:X5, Forwarded
0
 
digitapCommented:
can you change the IP address on the WAN interface?  I also noticed the TSR shows your X2 interface is down meaning nothing is plugged into it which is what should be the uplink to your sonicpoints.  is your uplink to the sonicpoint(s) and x2 interface connected?
0
 
digitapCommented:
let's try this as a test utilizing the corporate vap:

- Create a new address object to include a range of IP addresses on the x5 side of the sw.
- Create a new route and select the source as the corp VAP, destination as the new address object, service is any, gateway is "wan primary ip" or "gateway" and the interface is x5.
- assuming the sw doesn't give you an error, try to ping a host on the x5 interface, 10.10.10.186.
0
 
patrickhchAuthor Commented:
I am home now, bit I will try the test plan first thing in the morning. Thank you again for the help and I will report in first thing in the morning.
0
 
patrickhchAuthor Commented:
an update on the situation..... this morning i created a rout policies with source as the our lan range, destination wlan range, service any, gateway 0.0.0.0, interface 2, metric 20.  I can now ping ips on the lan from the wlan (except the 10.10.10.186 address I need & i can't view it in the browser)  I also cannot ping from the lan to the wlan....

Also, i am unsure of how to update the rom on the firewall, i looked on sonicwall's site, but I only found the firmware updates...
0
 
digitapCommented:
Let's see what the ROM update does.  I have attached a doc that will walk you through the update.  Let me know if you have questions.
upgrading-ROM-Pro3060Enhanced.pdf
0
 
digitapCommented:
Of the client with IP 10.10.10.186, what is it's gateway?
0
 
patrickhchAuthor Commented:
WOW....that was it the gateway on the machine I was trying to connect to had been changed....that did it.  I think this one is about done.  digitap thanks for all of the incredible effort.  500 points doesn't seem like near enough.  

Btw I still haven't heard from a mod about taking the tsr down.  I requested attention, but no response yet.
0
 
digitapCommented:
Great!  I'm glad I could help.  It takes them a couple of days.  I put some sensitive information on a post once and it took about three days before a mod responded.  Looking through the tsr, I don't see the VPN information so you must not have selected that information to export.

To clarify, you needed to create the route I recommended AND fix the gateway?  Before, I was thinking the communication WLAN > LAN and LAN > WLAN was not functional, right?
0
 
patrickhchAuthor Commented:
You are corrected I had to create the route as well as the gateway. Before adding the route I could not access any resources on the LAN. The gateway then corrected the single ip.

No I don't believe I exported the VPN.
I also tried to access the LAN on the guest access route and it was restricted like it should be.

Thanks again for the wise insight
0
 
digitapCommented:
Excellent!  I'm glad I could help and thanks for the points!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.