Sonicwall WLAN to LAN Access

I am in the process of creating wireless access at our facility with a sonicwall pro3060 and several sonicpointN's using VAP.  I have configured a wlan zone for office users and a vlan on the wlan interface for guest access.  Both of these zones are on seperate ip shemes, and neither one of them shares the scheme of our lan.  The problem is I am trying to add access for the wlan to our lan because access to network shares as well as internal browser based applications.  i have allowed all the appropriate access rules, but still no luck translating/allowing  the wlan traffic to our lan.  Both zone do have access to the internet though....
patrickhchAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

digitapCommented:
I'd have to see your firewall settings.  If you create a TSR and only post the firewall settings that are pertinent to the WLAN > LAN and LAN > WLAN settings, that should be enough to assist.
0
patrickhchAuthor Commented:
Please forgive my ingnorance, but I am unsure what a TSR is or how to post the firewall settings to it
0
patrickhchAuthor Commented:
sory for the mind blip....here is the attached is the report.  Let me know if you need  more info
tsr.txt
0
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

digitapCommented:
From your rules, I see that from WLAN > LAN you are allowing Any.  From WLAN to WLAN, you are allowing Ping, the management interfrace and Any.  However, I don't see LAN > WLAN.
0
patrickhchAuthor Commented:
sorry here is the rest
tsr1.txt
0
digitapCommented:
you're right, the rules look like all is allowed WLAN > LAN and LAN > WLAN.  Have you run the packet monitor to see what happens to your traffic.  It's under System > Packet Monitor.  Also, post your routing policies for WLAN and LAN.
0
patrickhchAuthor Commented:
here is the routing table... thanks for the packet info i will look at it...
routing.txt
0
patrickhchAuthor Commented:
here is the packet capture...
the machine on the wlan is 10.10.12.202
I am trying to access ip 10.10.10.186 on the lan....


Original version of attachment replaced with sanitized version per http://www.experts-exchange.com/Community_Support/General/Q_26100468.html?cid=1572#a32317758 LadyModiva 042910

Open in new window

packetcap.txt
0
digitapCommented:
um, you're going to want to get a mod to delete the entry or attachment at http:#a32317758 as the attachment you posted was the entire TSR and not the packet capture.  Or, get them to replace the attachment with the packet capture.
0
digitapCommented:
Also, I noticed you are on ROM version 3.1.0.2.  Sonicwall has recommended upgrading to ROM version 4.2.1.0_ROM-12e before upgrading to the version of firmware you are currently on.
0
patrickhchAuthor Commented:
wow that was a bad mistake... busy and wasn't paying attention... I requested attention, thanks for the heads up.

Attached is the entire packet capture....
When I filter the packet capture by the source ip this is what I get even if i am trying to access the 10.10.10.186 ip :

Ethernet Header
 Ether Type: IP(0x800), Src=[00:24:d6:7a:0a:b6], Dst=[ff:ff:ff:ff:ff:ff]
IP Packet Header
 IP Type: UDP(0x11), Src=[10.10.12.202], Dst=[10.10.12.255]
UDP Packet Header
 Src=[137], Dst=[137], Checksum=0xf6be, Message Length=58 bytes
Application Header
 NETBIOS Ns:
Value:[1]
DROPPED, Drop Code: 47, Module Id: 27, (Ref.Id: _2767_jcpfngDtqcfecuvRcemgv)


packetcapture.txt
0
patrickhchAuthor Commented:
thanks for the rom update info i will check into it.  As you can tell firewall management is not my strong point...thanks for the help.  I have tried sonicwall tech support, but haven't gotten a response.
0
digitapCommented:
yeah...you have to call to get decent help.  i'm looking over the packet capture stuff...i'll report back with some questions.  getting to supper time and getting my son to bed so there may be a delay.
0
digitapCommented:
it looks like one of your interfaces x5, is running in transparent mode...did you intend that?
0
patrickhchAuthor Commented:
Yeah that is the way it was setup ( before I was here).  The The sonicwall was added to the existing network so they installed it that way(before I worked here) since the gateway internal address is on the same 10.10.10.xxx scheme. X5 is the LAN interface that I am trying to communicate to. Nothing is plugged in the default lan x0 interface. I have been wondering if that is making things more difficult.
0
digitapCommented:
i think this might actually be a routing issue and not a firewall issue.  Open your packet capture you posted and search for *Packet number: 4987*  Notice that it goes in x2 and out x5.  That doesn't seem right.  This is what I'm seeing:

in:X2*(interface), out:X5, Forwarded
0
digitapCommented:
can you change the IP address on the WAN interface?  I also noticed the TSR shows your X2 interface is down meaning nothing is plugged into it which is what should be the uplink to your sonicpoints.  is your uplink to the sonicpoint(s) and x2 interface connected?
0
digitapCommented:
let's try this as a test utilizing the corporate vap:

- Create a new address object to include a range of IP addresses on the x5 side of the sw.
- Create a new route and select the source as the corp VAP, destination as the new address object, service is any, gateway is "wan primary ip" or "gateway" and the interface is x5.
- assuming the sw doesn't give you an error, try to ping a host on the x5 interface, 10.10.10.186.
0
patrickhchAuthor Commented:
I am home now, bit I will try the test plan first thing in the morning. Thank you again for the help and I will report in first thing in the morning.
0
digitapCommented:
I've been looking over the packet capture and I'm seeing traffic forwarded from x2 to x5 which tells me that traffic is getting routed properly.  What I'm not seeing is traffic coming from x5 to x2.  I'm not even seeing it dropped.  I'm not seeing it period.  If I were you, I'd update the ROM version first.  Make sure you get backups first...>GRIN<

If the update doesn't change anything, see if you can configure the settings to remove transparent mode.

If all that's a no go, then we'll look at things then.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
patrickhchAuthor Commented:
an update on the situation..... this morning i created a rout policies with source as the our lan range, destination wlan range, service any, gateway 0.0.0.0, interface 2, metric 20.  I can now ping ips on the lan from the wlan (except the 10.10.10.186 address I need & i can't view it in the browser)  I also cannot ping from the lan to the wlan....

Also, i am unsure of how to update the rom on the firewall, i looked on sonicwall's site, but I only found the firmware updates...
0
digitapCommented:
Let's see what the ROM update does.  I have attached a doc that will walk you through the update.  Let me know if you have questions.
upgrading-ROM-Pro3060Enhanced.pdf
0
digitapCommented:
Of the client with IP 10.10.10.186, what is it's gateway?
0
patrickhchAuthor Commented:
WOW....that was it the gateway on the machine I was trying to connect to had been changed....that did it.  I think this one is about done.  digitap thanks for all of the incredible effort.  500 points doesn't seem like near enough.  

Btw I still haven't heard from a mod about taking the tsr down.  I requested attention, but no response yet.
0
digitapCommented:
Great!  I'm glad I could help.  It takes them a couple of days.  I put some sensitive information on a post once and it took about three days before a mod responded.  Looking through the tsr, I don't see the VPN information so you must not have selected that information to export.

To clarify, you needed to create the route I recommended AND fix the gateway?  Before, I was thinking the communication WLAN > LAN and LAN > WLAN was not functional, right?
0
patrickhchAuthor Commented:
You are corrected I had to create the route as well as the gateway. Before adding the route I could not access any resources on the LAN. The gateway then corrected the single ip.

No I don't believe I exported the VPN.
I also tried to access the LAN on the guest access route and it was restricted like it should be.

Thanks again for the wise insight
0
digitapCommented:
Excellent!  I'm glad I could help and thanks for the points!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.