How create the security of a VLAN with routing rules or firewall rules on a Sonicwal

Pivnardo
Pivnardo used Ask the Experts™
on
I currently has 2 standard routers plugged into LAN ports of a Sonicwall TZ-190W.  
They have static LAN IP's setup for their WAN's.  The sub-networks work just fine being double NAT.  Problem is the networks can talk to each other.  Is there a way to separate the networks like with a VLAN.

There is not much you can change in the router.  I was looking for rules that could be created in the firewall.  Or perhaps modifying the routing rules of the Sonicwall gateway device.  
 The firewall also has an OPT port and 1-2-1 translation.  Was not able to get them to work.  I understand that the "W" model does not support the use of the OPT interface.  I have disabled the wireless feature of the router.  It did not help.  

Thank you for any direction or answers you can provide.  Much appreciated :-)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You can define access rules in the firewall to restrict access between the vlans.

Author

Commented:
Can you please provide an example. How can you restrict a specific IP (WAN IP of the sub network routers) access to the rest of the subnet but still allow up linking ?
Oliver TANGIRINetwork Engineer

Commented:
Pivarnado - Please provide a specific problem you want resolve. Is the sonicwall running standard or enhanced IOS?
I would have one subnet on the LAN, the other in the OPT port and configure rules under the Firewall option on the sonicwall.  I have done this even with the old TZ170 running standard IOS.  Your focus should only be on traffic between LAN and OPT interface.
 
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Author

Commented:
2 problems using the OPT port. First is that there are 2 sub networks connected Via additional routers. Thus, the single OPT port does not solve the problem. Second, from what I have found ... The Sonicwall TZ-180W (built in wireless) uses the OPT interface internally for the wireless. I have disabled the wireless and found that the OPT port still does not work as desired.

Here is the details:

Sonicwall LAN IP: 172.20.2.254
Subnet: 255.255.255.0
Network of interest: 172.20.2.0

Sub-Network 1:
WAN on Router: 172.20.2.250
LAN IP: 192.168.10.254
LAN Network: 192.168.10.254

Sub-Network 2:
WAN on Router: 172.20.2.251
LAN IP: 192.168.20.254
LAN Network: 192.168.20.254

As mentioned before, the networks are functioning ad desired. The problem is I would like to isolate them for security reasons so they can not talk to each other. Yet at the same time maintain the ability to uplink or recieve Internet access.

I hope this helps.

Author

Commented:
The Sonicwall TZ-180 is running Standard OS

Author

Commented:
The Sonicwall TZ-180 is running Standard OS
Oliver TANGIRINetwork Engineer

Commented:
For a sonicwall, I would use different subnets for the following interfaces so I can control access with the firewall rules. I am not aware of Sonicwall's ability to isolate ports....if I get what you are trying to achieve right.

Sonicwall LAN IP: 172.20.2.254
Sub-Network 1:
WAN on Router: 172.20.2.250
Sub-Network 2:
WAN on Router: 172.20.2.251

Your original question talked of TZ190W??

Author

Commented:
Sorry. The main office has a TZ-190W. The office I am trying to fix is using a TZ-180W. Sorry about the confusion.

Is the last comment saying that I should use a different subnet on the routers like 192.168.10.0/16 (255.255.0.0). Does that help with the routing table manipulation or the firewall rules. If so ... how ?
Oliver TANGIRINetwork Engineer

Commented:
Yes, use different subnets on the firewall for those networks. That way, the firewall can then be ROUTING between the networks and that is when you have to control them using source[network] and destination[network] etc etc.  For example, these are three different networks - 172.20.2.0/24, 172.20.3.0/24, 172.20.3.0/24 but what you currently have is just one network where you do not need any routing to have one talk to another.
 

Author

Commented:
I believe I better understand your comments Bokis.  Please let me know if this sounds correct ...
I still need a DHCP server on the 2 sub-networks to provide IP's for the dynamic computers (192.168.10.0, 192.168.20.0).  However, If I disregard plugging in the WAN port at all of the sub network routers, and just patch into the Sonicwall LAN - to LAN of the sub network router, the advantage is that I then would have 3 different subnet traffic on the Sonicwall switch.  Thus, routing rules could then be used to say 192.168.10.0 -> WAN IP of Sonicwall to get Internet flowing !! Does this sound correct ?
If that infact would work, I am still confused what the routing rules would look like to make sure that the 192.168.10.0 traffic can not access 172.20.2.0 traffic.
I hope this is sounds ok becuase it seems to make more sense to me now.
Network Engineer
Commented:
So long as  your have different subnets[which are LANs to sonicwall] acting as WANs to the routers of the 192.168.X.Y networks, you will be able to manipulate access using the sonicwall rules.

Author

Commented:
Thank you.

So I should still use the WAN interface of the sub network routers as long at their addresses are not the same as the Sonic LAN?
Than just use the firewall access rules to isolate them ?
So I would not need to touch the routing table in the Sonicwall then ?
Oliver TANGIRINetwork Engineer

Commented:
Yes.

Author

Commented:
From what I saw, the firewall is not able to stop the access between the different network ranges on its switch.  Ther router is too stupid (could also be the user) to allow manual modification of the routing tables.
Thank  you for the help, but I think that I am limited by the firewall itself and the options that it has.

Author

Commented:
Thank you

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial