Solved

Initial config of SonicWall router

Posted on 2010-09-22
21
523 Views
Last Modified: 2012-05-10
Initial install of a SonicWall TZ200 router between our Windows Server 2003 LAN and the ISP's modem. Both the ISP and SW say that it should be easy, but I'm having a tough time setting up the WAN interface.

DHCP is done by our server (192.168.0.99). I'd like to set the TZ200 at a static IP of 192.168.0.98. The ISP modem has a public IP and is also the LAN's gateway at 192.168.0.1.

I've set the LAN interface at STATIC with the above info... no problem. But then, the WAN interface wants me to set an IP address. I've tried the 192.168.0.98/255.255.255.0, but it says that the "Subnet on this interface overlaps with another interface."

After conversations with the ISP, they're saying that we need to pay for an additional static public IP for the router. Or, that if I changed the modem to be the DHCP server that "should" work.

Big problem is that I have really limited opportunities to mess with this stuff on-site, so calling SonicWall tech support has been frustrating - it's hard to gauge when you'll get an actual tech on the phone - could be 5 minutes or 65 minutes.

Anyone have experience with this type of setup? Are these two options (additional static IP or change DHCP) the only ones I'm left with?

Thanks in advance!
0
Comment
Question by:ricknick57
  • 11
  • 10
21 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 33740916
You can have your sonicwall in two configurations.  First, the way you have it now.  Second, you put the ISP modem into transparent/bridge mode.First option: You need to change the LAN IP of the ISP modem from 192.168.0.0/24 to something like 192.168.1.0/24.  The reason you get an error when setting the IP of the WAN interface is the IP address of the WAN interface can't be on the same subnet as the LAN interface.  The sonicwall routes between the WAN and LAN zones.  It also NATs between the two.  Changing the IP address on the ISP hardware and the WAN interface is the easiest option.Second option: When you set the ISP modem in transparent mode, you put the WAN IP that the ISP modem has onto the WAN interface of the sonicwall.  This option is a little harder to set as you have to reconfigure the ISP hardware, but troubleshooting is easier if there is a challenge with connectivity.What hardware is the ISPs modem?Also, by the way, your ISP doesn't know what they are talking about....you don't need a second public IP address.
0
 
LVL 1

Author Comment

by:ricknick57
ID: 33741067
Hi digitap,

Thanks for the response! The ISP is saying that they're passing through all traffic unfiltered, but I know that they're at least doing some port forwarding for RDC to my server.

I'll follow up tomorrow by getting the hardware type of the modem. Also, the ISP has said that I can use X.X.X.17/255.255.255.252 for the router gateway (where the modem public IP is X.X.X.18) but that hasn't helped because I still don't have an IP for the router itself.

I appreciate your help,
Rick
0
 
LVL 33

Expert Comment

by:digitap
ID: 33743717
they are at least NAT'ing the traffic between the public interface and the private interface.  ISPs aren't much help in these instances.  they don't want you to do anything outside of the norm because they can't support it.  once you get the hardware config we'll get things squared away.
0
 
LVL 1

Author Comment

by:ricknick57
ID: 33747446
digitap,

It's a Fortinet Fortigate 60 device.

Thanks!
0
 
LVL 33

Expert Comment

by:digitap
ID: 33748152
hmmm....fortinet.  can you ask your ISP support if they can put their hardware into bridge mode?  if they push back, let me know and we'll go from there.
0
 
LVL 1

Author Comment

by:ricknick57
ID: 33748355
The one thing I don't want to do is interrupt their current connectivity... will putting it into bridge mode affect their current connection? Remember that there's at least one user who relies on an RDC for her job.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33748535
You'll have to make sure you plan this out correctly if you want to move the fortinet into bridge mode.

What kind of connection is this, cable or dsl?
0
 
LVL 1

Author Comment

by:ricknick57
ID: 33749735
It's a T-1 that's part of a voice/data package.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33750868
besides the inherent firewall, do you use any of the other services on the sonicwall?  the fortinet is a true firewall.  so, if you need the sonicwall for other features not offered by your fortinet, then my idea is configure the sonicwall in transparent mode.  Read this and tell me what you think?

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3543
0
 
LVL 1

Author Comment

by:ricknick57
ID: 33758012
SW Tech Support also suggested that (Transparent Mode), and that sounds okay... but the KB you referred me to also says that we need an IP in the same subnet as the WAN.

Sorry I didn't get back to you sooner - dealing with family health issues.

I'm going to follow up with ISP on Monday about the possibility of getting a 2nd public IP, but please let me know what else you're thinking.

Thanks!



0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 33

Expert Comment

by:digitap
ID: 33758092
are you running the enhanced or standard OS on the TZ200?  You don't need another public IP address.  you can leave things as they are and configure the LAN subnet in transparent mode.  what are you using for DHCP on your network, the sonicwall?
0
 
LVL 1

Author Comment

by:ricknick57
ID: 33758403
Not sure about the OS version... where would I see that in MySonicWall?

We're using the server for DHCP.

0
 
LVL 33

Expert Comment

by:digitap
ID: 33758595
you might be able to see that information under the my products section, but you may have to log in to the sonicwall to get something definitive.  when you log in, click system on the left then status.  look on the right to get whether standard or enhanced.  you'll also find the firmware version.
0
 
LVL 1

Author Comment

by:ricknick57
ID: 33759007
That'll have to be Tues. AM. I left the router onsite and can't get back there till Tues. (I work as a consultant with aprox. 10 small/mid-sized nonprofit organizations outside of Philly.)

Thanks for sticking with me,
Rick
0
 
LVL 33

Expert Comment

by:digitap
ID: 33759140
You bet...talk to you then.
0
 
LVL 1

Author Comment

by:ricknick57
ID: 33782551
digitap,

Just retrieved the router from the client location - it is SonicOS Enhanced 5.3.0.0-16o

I'm also still pursuing the second IP address - just in case. I believe this can be done without it, but I've already set up 4 or 5 of these devices using the 2nd IP, and it was a snap...

Thanks!
0
 
LVL 33

Expert Comment

by:digitap
ID: 33782583
I'd say go with what you know.  If a 2nd IP has worked in the past, then you should stick with that.  You have the enhanced OS so you're not limited to what you can do as with the standard OS.
0
 
LVL 1

Author Comment

by:ricknick57
ID: 33782819
Ok... I'm supposed to hear back from the ISP within 48 hours as to whether they're willing to donate the 2nd IP (this is a small non-profit working with disabled kids).

If it's okay with you, I'll keep the question open in case they decline. If they do come through, I'll close it and give you the points.

Thanks for bearing with me. I'd love to go through the learning curve of figuring this out - I just don't want to do it at the client's expense/inconvenience.

Rick
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 33782831
I understand.  We have several non-profit clients and (regardless of the state of the economy) money is always tight.

I'll stand by.
0
 
LVL 1

Author Closing Comment

by:ricknick57
ID: 33815627
digitap,

Thanks so much for your time - I wish I had the time to have you work me through the config of this router without the second IP.

The ISP agreed to "donate" a block of 5 IPs to my client for a one-time charge of $18.50, so I'm going to go that route for now.

It was a pleasure working with you.

Best wishes,
Rick
0
 
LVL 33

Expert Comment

by:digitap
ID: 33815662
Thanks Rick...no problem.  Thanks for the points and I'll be seeing you around.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now