Create an internal LAN DMZ

I want to create an internal DMZ on my LAN, such that I can use 1 of my extra ports on my TZ210w so that I can connect client PC's to the internet, but that are unable to access any other network resources on my LAN. From time to time we get client machines infected with the normal range of malware and what not, so I need to have them connected to update removal programs, but I want to keep them from my day to day resources. I've tried everything I can think of, but do not get a connection.

Thanks!
microsymplexAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

truromeo4julietCommented:
I think your conception of a DMZ is a bit skewed. A DMZ (demilitarized zone) is a computer that's placed outside the protection of a router's firewall, to allow all inbound traffic from outside the router to hit the PC normally without firewall restriction.

One thing you can do to resolve your issue is to setup a unique workgroup for your network (example: FIXINGSTUFF), and manually assign subnetting, etc...

From my 16 years (and 3000+ virus removal procedures) of computing experience, however, most PC's that are attached to a common network will NOT have a malware issue unless the customer is infected with a worm (very rare). Most infections that are spread in a computer repair shop environment are spread through plugging in USB drives and then moving those drives to other computers.

A good free malware utility to use is Combofix, created by sUBs, sponsored on the bleepingcomputer.com website: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Wish you luck.
0
digitapCommented:
However, you can use one of the interfaces on the sonicwall to create an Internal "DMZ" without removing the firewall restrictions.  Create a new zone, assign it to a spare Interface on the sonicwall.  Connect the desired PC to it.  Then, configure the firewall access rules between the new zone > LAN and LAN > new zone.
0
microsymplexAuthor Commented:
@digitap, how do I configure the settings within the "new" inteface?
Zone   -      DMZ?
IP Assignment    -     Static?
IP Address    -      ????


In the past trying to configure the static IP, I've gotten overlap errors.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

digitapCommented:
You can use the DMZ zone.  Create an internal IP address.  Something like 192.168.35.0/24 or 10.10.10.0/24.  Give the interface a static IP from one of those subnet ranges.

As an example, if we picked 192.168.30.0/24
Interface IP: 192.168.30.20
Mask: 255.255.255.0
Zone: DMZ

When you are done creating the Interface, the sonicwall will create a new DHCP scope for that interface.  Any device that connects to the interface will get an IP address from the sonicwall.  Also, go to Firewall > Access Rules.  Select DMZ > LAN.  There is probably a default rule to Deny any traffic to the LAN zone.  You can double check LAN > DMZ just to see what's there and create your own Deny rule if you want.  Then, Check WAN > DMZ and DMZ > WAN to make sure the respective rules are as you want.
0
digitapCommented:
What's the IP you've used on the LAN interface?  Whatever that is, use something incrementally larger.  If 192.168.29.0/24, then use 192.168.30.0.
0
microsymplexAuthor Commented:
I've tried using a different subnet, such as 192.168.230.x for the "untrusted" dmz, versus my normal internal IP of 192.168.1.x as seen below.

X2 - DMZ - 192.168.232.1 - 255.255.255.0 - Static - 100 Mbps full-duplex - Quarantined LAN ...

When thinking about it though, how does X2 know where to go to get to the WAN port in this argument...it doesn't, I think that's where I'm stuck.
0
digitapCommented:
all the internal interfaces will use the default gateway of the sonicwall which is the IP of the WAN interface if it encounters a network it doesn't know how to route an ip network internally.  are you trying to resolve DNS on a DMZ host?  set a host as a static IP on the DMZ network.  set the DNS to 4.2.2.2.  this should allow you to resolve.  otherwise, it must be a DMZ > WAN or WAN > DMZ access rule.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
microsymplexAuthor Commented:
Not really trying to resolve anything...I just want these computers in question in a quarantined mini-network, to have access to the internet and not my local LAN resources. I wonder if I should have to enable the onboard DHCP server for my DMZ LAN subnet?
0
digitapCommented:
you can if you want.  the sonicwall will create a scope for you automatically.
0
microsymplexAuthor Commented:
Thanks digitap, that pointed me in the right direction. Once I enabled the onboard DHCP server on the Sonicwall for my quarantined interface's subnet, i connected right up with the correct IP, and am unable to talk to any of my "trusted" resources. If it helps anyone else, here's a few screenshots of my Sonciwall Config...(TZ210W)


dmz1.jpg
dmz2.jpg
0
microsymplexAuthor Commented:
Thanks digitap, that pointed me in the right direction and cleared up my thought process.

Cheers!
0
digitapCommented:
you're welcome...thanks for the points!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.