Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Create an internal LAN DMZ

Posted on 2010-08-16
12
Medium Priority
?
868 Views
Last Modified: 2013-11-16
I want to create an internal DMZ on my LAN, such that I can use 1 of my extra ports on my TZ210w so that I can connect client PC's to the internet, but that are unable to access any other network resources on my LAN. From time to time we get client machines infected with the normal range of malware and what not, so I need to have them connected to update removal programs, but I want to keep them from my day to day resources. I've tried everything I can think of, but do not get a connection.

Thanks!
0
Comment
Question by:microsymplex
  • 6
  • 5
12 Comments
 
LVL 5

Expert Comment

by:truromeo4juliet
ID: 33448250
I think your conception of a DMZ is a bit skewed. A DMZ (demilitarized zone) is a computer that's placed outside the protection of a router's firewall, to allow all inbound traffic from outside the router to hit the PC normally without firewall restriction.

One thing you can do to resolve your issue is to setup a unique workgroup for your network (example: FIXINGSTUFF), and manually assign subnetting, etc...

From my 16 years (and 3000+ virus removal procedures) of computing experience, however, most PC's that are attached to a common network will NOT have a malware issue unless the customer is infected with a worm (very rare). Most infections that are spread in a computer repair shop environment are spread through plugging in USB drives and then moving those drives to other computers.

A good free malware utility to use is Combofix, created by sUBs, sponsored on the bleepingcomputer.com website: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Wish you luck.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33448806
However, you can use one of the interfaces on the sonicwall to create an Internal "DMZ" without removing the firewall restrictions.  Create a new zone, assign it to a spare Interface on the sonicwall.  Connect the desired PC to it.  Then, configure the firewall access rules between the new zone > LAN and LAN > new zone.
0
 

Author Comment

by:microsymplex
ID: 33449149
@digitap, how do I configure the settings within the "new" inteface?
Zone   -      DMZ?
IP Assignment    -     Static?
IP Address    -      ????


In the past trying to configure the static IP, I've gotten overlap errors.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 33

Expert Comment

by:digitap
ID: 33449200
You can use the DMZ zone.  Create an internal IP address.  Something like 192.168.35.0/24 or 10.10.10.0/24.  Give the interface a static IP from one of those subnet ranges.

As an example, if we picked 192.168.30.0/24
Interface IP: 192.168.30.20
Mask: 255.255.255.0
Zone: DMZ

When you are done creating the Interface, the sonicwall will create a new DHCP scope for that interface.  Any device that connects to the interface will get an IP address from the sonicwall.  Also, go to Firewall > Access Rules.  Select DMZ > LAN.  There is probably a default rule to Deny any traffic to the LAN zone.  You can double check LAN > DMZ just to see what's there and create your own Deny rule if you want.  Then, Check WAN > DMZ and DMZ > WAN to make sure the respective rules are as you want.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33449209
What's the IP you've used on the LAN interface?  Whatever that is, use something incrementally larger.  If 192.168.29.0/24, then use 192.168.30.0.
0
 

Author Comment

by:microsymplex
ID: 33450129
I've tried using a different subnet, such as 192.168.230.x for the "untrusted" dmz, versus my normal internal IP of 192.168.1.x as seen below.

X2 - DMZ - 192.168.232.1 - 255.255.255.0 - Static - 100 Mbps full-duplex - Quarantined LAN ...

When thinking about it though, how does X2 know where to go to get to the WAN port in this argument...it doesn't, I think that's where I'm stuck.
0
 
LVL 33

Accepted Solution

by:
digitap earned 2000 total points
ID: 33450150
all the internal interfaces will use the default gateway of the sonicwall which is the IP of the WAN interface if it encounters a network it doesn't know how to route an ip network internally.  are you trying to resolve DNS on a DMZ host?  set a host as a static IP on the DMZ network.  set the DNS to 4.2.2.2.  this should allow you to resolve.  otherwise, it must be a DMZ > WAN or WAN > DMZ access rule.
0
 

Author Comment

by:microsymplex
ID: 33455982
Not really trying to resolve anything...I just want these computers in question in a quarantined mini-network, to have access to the internet and not my local LAN resources. I wonder if I should have to enable the onboard DHCP server for my DMZ LAN subnet?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33456455
you can if you want.  the sonicwall will create a scope for you automatically.
0
 

Author Comment

by:microsymplex
ID: 33456751
Thanks digitap, that pointed me in the right direction. Once I enabled the onboard DHCP server on the Sonicwall for my quarantined interface's subnet, i connected right up with the correct IP, and am unable to talk to any of my "trusted" resources. If it helps anyone else, here's a few screenshots of my Sonciwall Config...(TZ210W)


dmz1.jpg
dmz2.jpg
0
 

Author Closing Comment

by:microsymplex
ID: 33456763
Thanks digitap, that pointed me in the right direction and cleared up my thought process.

Cheers!
0
 
LVL 33

Expert Comment

by:digitap
ID: 33456884
you're welcome...thanks for the points!
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

879 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question