Solved

Create an internal LAN DMZ

Posted on 2010-08-16
12
849 Views
Last Modified: 2013-11-16
I want to create an internal DMZ on my LAN, such that I can use 1 of my extra ports on my TZ210w so that I can connect client PC's to the internet, but that are unable to access any other network resources on my LAN. From time to time we get client machines infected with the normal range of malware and what not, so I need to have them connected to update removal programs, but I want to keep them from my day to day resources. I've tried everything I can think of, but do not get a connection.

Thanks!
0
Comment
Question by:microsymplex
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 5

Expert Comment

by:truromeo4juliet
ID: 33448250
I think your conception of a DMZ is a bit skewed. A DMZ (demilitarized zone) is a computer that's placed outside the protection of a router's firewall, to allow all inbound traffic from outside the router to hit the PC normally without firewall restriction.

One thing you can do to resolve your issue is to setup a unique workgroup for your network (example: FIXINGSTUFF), and manually assign subnetting, etc...

From my 16 years (and 3000+ virus removal procedures) of computing experience, however, most PC's that are attached to a common network will NOT have a malware issue unless the customer is infected with a worm (very rare). Most infections that are spread in a computer repair shop environment are spread through plugging in USB drives and then moving those drives to other computers.

A good free malware utility to use is Combofix, created by sUBs, sponsored on the bleepingcomputer.com website: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Wish you luck.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33448806
However, you can use one of the interfaces on the sonicwall to create an Internal "DMZ" without removing the firewall restrictions.  Create a new zone, assign it to a spare Interface on the sonicwall.  Connect the desired PC to it.  Then, configure the firewall access rules between the new zone > LAN and LAN > new zone.
0
 

Author Comment

by:microsymplex
ID: 33449149
@digitap, how do I configure the settings within the "new" inteface?
Zone   -      DMZ?
IP Assignment    -     Static?
IP Address    -      ????


In the past trying to configure the static IP, I've gotten overlap errors.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 33

Expert Comment

by:digitap
ID: 33449200
You can use the DMZ zone.  Create an internal IP address.  Something like 192.168.35.0/24 or 10.10.10.0/24.  Give the interface a static IP from one of those subnet ranges.

As an example, if we picked 192.168.30.0/24
Interface IP: 192.168.30.20
Mask: 255.255.255.0
Zone: DMZ

When you are done creating the Interface, the sonicwall will create a new DHCP scope for that interface.  Any device that connects to the interface will get an IP address from the sonicwall.  Also, go to Firewall > Access Rules.  Select DMZ > LAN.  There is probably a default rule to Deny any traffic to the LAN zone.  You can double check LAN > DMZ just to see what's there and create your own Deny rule if you want.  Then, Check WAN > DMZ and DMZ > WAN to make sure the respective rules are as you want.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33449209
What's the IP you've used on the LAN interface?  Whatever that is, use something incrementally larger.  If 192.168.29.0/24, then use 192.168.30.0.
0
 

Author Comment

by:microsymplex
ID: 33450129
I've tried using a different subnet, such as 192.168.230.x for the "untrusted" dmz, versus my normal internal IP of 192.168.1.x as seen below.

X2 - DMZ - 192.168.232.1 - 255.255.255.0 - Static - 100 Mbps full-duplex - Quarantined LAN ...

When thinking about it though, how does X2 know where to go to get to the WAN port in this argument...it doesn't, I think that's where I'm stuck.
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 33450150
all the internal interfaces will use the default gateway of the sonicwall which is the IP of the WAN interface if it encounters a network it doesn't know how to route an ip network internally.  are you trying to resolve DNS on a DMZ host?  set a host as a static IP on the DMZ network.  set the DNS to 4.2.2.2.  this should allow you to resolve.  otherwise, it must be a DMZ > WAN or WAN > DMZ access rule.
0
 

Author Comment

by:microsymplex
ID: 33455982
Not really trying to resolve anything...I just want these computers in question in a quarantined mini-network, to have access to the internet and not my local LAN resources. I wonder if I should have to enable the onboard DHCP server for my DMZ LAN subnet?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33456455
you can if you want.  the sonicwall will create a scope for you automatically.
0
 

Author Comment

by:microsymplex
ID: 33456751
Thanks digitap, that pointed me in the right direction. Once I enabled the onboard DHCP server on the Sonicwall for my quarantined interface's subnet, i connected right up with the correct IP, and am unable to talk to any of my "trusted" resources. If it helps anyone else, here's a few screenshots of my Sonciwall Config...(TZ210W)


dmz1.jpg
dmz2.jpg
0
 

Author Closing Comment

by:microsymplex
ID: 33456763
Thanks digitap, that pointed me in the right direction and cleared up my thought process.

Cheers!
0
 
LVL 33

Expert Comment

by:digitap
ID: 33456884
you're welcome...thanks for the points!
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question