Pivnardo
asked on
How create the security of a VLAN with routing rules or firewall rules on a Sonicwal
I currently has 2 standard routers plugged into LAN ports of a Sonicwall TZ-190W.
They have static LAN IP's setup for their WAN's. The sub-networks work just fine being double NAT. Problem is the networks can talk to each other. Is there a way to separate the networks like with a VLAN.
There is not much you can change in the router. I was looking for rules that could be created in the firewall. Or perhaps modifying the routing rules of the Sonicwall gateway device.
The firewall also has an OPT port and 1-2-1 translation. Was not able to get them to work. I understand that the "W" model does not support the use of the OPT interface. I have disabled the wireless feature of the router. It did not help.
Thank you for any direction or answers you can provide. Much appreciated :-)
They have static LAN IP's setup for their WAN's. The sub-networks work just fine being double NAT. Problem is the networks can talk to each other. Is there a way to separate the networks like with a VLAN.
There is not much you can change in the router. I was looking for rules that could be created in the firewall. Or perhaps modifying the routing rules of the Sonicwall gateway device.
The firewall also has an OPT port and 1-2-1 translation. Was not able to get them to work. I understand that the "W" model does not support the use of the OPT interface. I have disabled the wireless feature of the router. It did not help.
Thank you for any direction or answers you can provide. Much appreciated :-)
You can define access rules in the firewall to restrict access between the vlans.
ASKER
Can you please provide an example. How can you restrict a specific IP (WAN IP of the sub network routers) access to the rest of the subnet but still allow up linking ?
Pivarnado - Please provide a specific problem you want resolve. Is the sonicwall running standard or enhanced IOS?
I would have one subnet on the LAN, the other in the OPT port and configure rules under the Firewall option on the sonicwall. I have done this even with the old TZ170 running standard IOS. Your focus should only be on traffic between LAN and OPT interface.
I would have one subnet on the LAN, the other in the OPT port and configure rules under the Firewall option on the sonicwall. I have done this even with the old TZ170 running standard IOS. Your focus should only be on traffic between LAN and OPT interface.
ASKER
2 problems using the OPT port. First is that there are 2 sub networks connected Via additional routers. Thus, the single OPT port does not solve the problem. Second, from what I have found ... The Sonicwall TZ-180W (built in wireless) uses the OPT interface internally for the wireless. I have disabled the wireless and found that the OPT port still does not work as desired.
Here is the details:
Sonicwall LAN IP: 172.20.2.254
Subnet: 255.255.255.0
Network of interest: 172.20.2.0
Sub-Network 1:
WAN on Router: 172.20.2.250
LAN IP: 192.168.10.254
LAN Network: 192.168.10.254
Sub-Network 2:
WAN on Router: 172.20.2.251
LAN IP: 192.168.20.254
LAN Network: 192.168.20.254
As mentioned before, the networks are functioning ad desired. The problem is I would like to isolate them for security reasons so they can not talk to each other. Yet at the same time maintain the ability to uplink or recieve Internet access.
I hope this helps.
Here is the details:
Sonicwall LAN IP: 172.20.2.254
Subnet: 255.255.255.0
Network of interest: 172.20.2.0
Sub-Network 1:
WAN on Router: 172.20.2.250
LAN IP: 192.168.10.254
LAN Network: 192.168.10.254
Sub-Network 2:
WAN on Router: 172.20.2.251
LAN IP: 192.168.20.254
LAN Network: 192.168.20.254
As mentioned before, the networks are functioning ad desired. The problem is I would like to isolate them for security reasons so they can not talk to each other. Yet at the same time maintain the ability to uplink or recieve Internet access.
I hope this helps.
ASKER
The Sonicwall TZ-180 is running Standard OS
ASKER
The Sonicwall TZ-180 is running Standard OS
For a sonicwall, I would use different subnets for the following interfaces so I can control access with the firewall rules. I am not aware of Sonicwall's ability to isolate ports....if I get what you are trying to achieve right.
Sonicwall LAN IP: 172.20.2.254
Sub-Network 1:
WAN on Router: 172.20.2.250
Sub-Network 2:
WAN on Router: 172.20.2.251
Your original question talked of TZ190W??
Sonicwall LAN IP: 172.20.2.254
Sub-Network 1:
WAN on Router: 172.20.2.250
Sub-Network 2:
WAN on Router: 172.20.2.251
Your original question talked of TZ190W??
ASKER
Sorry. The main office has a TZ-190W. The office I am trying to fix is using a TZ-180W. Sorry about the confusion.
Is the last comment saying that I should use a different subnet on the routers like 192.168.10.0/16 (255.255.0.0). Does that help with the routing table manipulation or the firewall rules. If so ... how ?
Is the last comment saying that I should use a different subnet on the routers like 192.168.10.0/16 (255.255.0.0). Does that help with the routing table manipulation or the firewall rules. If so ... how ?
Yes, use different subnets on the firewall for those networks. That way, the firewall can then be ROUTING between the networks and that is when you have to control them using source[network] and destination[network] etc etc. For example, these are three different networks - 172.20.2.0/24, 172.20.3.0/24, 172.20.3.0/24 but what you currently have is just one network where you do not need any routing to have one talk to another.
ASKER
I believe I better understand your comments Bokis. Please let me know if this sounds correct ...
I still need a DHCP server on the 2 sub-networks to provide IP's for the dynamic computers (192.168.10.0, 192.168.20.0). However, If I disregard plugging in the WAN port at all of the sub network routers, and just patch into the Sonicwall LAN - to LAN of the sub network router, the advantage is that I then would have 3 different subnet traffic on the Sonicwall switch. Thus, routing rules could then be used to say 192.168.10.0 -> WAN IP of Sonicwall to get Internet flowing !! Does this sound correct ?
If that infact would work, I am still confused what the routing rules would look like to make sure that the 192.168.10.0 traffic can not access 172.20.2.0 traffic.
I hope this is sounds ok becuase it seems to make more sense to me now.
I still need a DHCP server on the 2 sub-networks to provide IP's for the dynamic computers (192.168.10.0, 192.168.20.0). However, If I disregard plugging in the WAN port at all of the sub network routers, and just patch into the Sonicwall LAN - to LAN of the sub network router, the advantage is that I then would have 3 different subnet traffic on the Sonicwall switch. Thus, routing rules could then be used to say 192.168.10.0 -> WAN IP of Sonicwall to get Internet flowing !! Does this sound correct ?
If that infact would work, I am still confused what the routing rules would look like to make sure that the 192.168.10.0 traffic can not access 172.20.2.0 traffic.
I hope this is sounds ok becuase it seems to make more sense to me now.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you.
So I should still use the WAN interface of the sub network routers as long at their addresses are not the same as the Sonic LAN?
Than just use the firewall access rules to isolate them ?
So I would not need to touch the routing table in the Sonicwall then ?
So I should still use the WAN interface of the sub network routers as long at their addresses are not the same as the Sonic LAN?
Than just use the firewall access rules to isolate them ?
So I would not need to touch the routing table in the Sonicwall then ?
Yes.
ASKER
From what I saw, the firewall is not able to stop the access between the different network ranges on its switch. Ther router is too stupid (could also be the user) to allow manual modification of the routing tables.
Thank you for the help, but I think that I am limited by the firewall itself and the options that it has.
Thank you for the help, but I think that I am limited by the firewall itself and the options that it has.
ASKER
Thank you