Link to home
Start Free TrialLog in
Avatar of SterlingMcClung

asked on

Sonicwall TZ100W in Multitenant setup

I have a Sonicwall TZ100W that I am using to share an Internet with another office.  The ISP provides quasi static IP addresses(technically long lease DHCP addresses), so I have had to use two ports to get two WAN IP addresses, as both I and they have Small Business Servers.  I have been able to get the inbound services working, so my email comes to me and thiers to them, but to be able to do this I had to enable load balancing.  This means that both internal networks are sharing both external interfaces, but I would like to limit my computers to use one of the external IP addresses and the other network to use the other external IP address.  Is this possible?
Avatar of digitap
Flag of United States of America image

does the other office care to use your sonicwall or would they mind using a different firewall?  also, to clarify, you do have more than one public IP address?

if yes to both, then you can do this two ways.  you could put one of the interfaces on the sonicwall in transparent mode and let a linksys (or whatever) get one of the public IP addresses and your sonicwall to get one of the public IP addresses.


install a switch and connect the linksys (or whatever), sonicwall and internet router to it.  give your sonicwall a public IP address and the linksys a public IP address.

Avatar of Cas Krist
Cas Krist
Flag of Netherlands image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of SterlingMcClung


caskrist - that is exactly what I needed to do.  I had been trying to do this with the NAT policies, and it just was not working.  I created a route from my network to anywhere through my external address with a lower metric than the other rules, and now my network is only using that address.  I will create the route for the other office after hours just to make sure I don't interupt them.  I will wait until it succeeds before I assign points.

any feedback for my post?
The other office wants to use the security features of the sonicwall and yes I have more than one public IP address.  If I understand your solutions, they both mean that the other office does not get to take advantage of the sonicwall, which is not what I wanted.
one step at a time.  i just needed more clarification on the hardware layout potentials.

as long as you have more than one public IP bound to your WAN interface you can have two exchange servers on your private network.  i would put the other office on say, on X3 and your office say, on X0.  their switch goes to the X3 interface and your switch goes to the X0 interface.  run your public server wizard for exchange services and point each public IP to their respective private IP servers.  both subnets get the benefit of using the sonicwall.

then, go into your firewall rules and deny x3 <> x0.
It is not only about inbound traffic, but also for outbound traffic. Office 1 uses IP X.X.X.X for inbound and outbound traffic and Office 2 uses IP Y.Y.Y.Y for inbound and outbound traffic.
Caskrist is correct.  I already had the inbound services working properly, and if you notice in the original post, I mentioned that I had to DHCP the IP addresses, which means I can have the two external addresses on the same interface.  Here is the setup: (IPs changed)

X1 -
X2 - - connected to another router that has
X3 -
X4 -

Because I now had two WAN interfaces I had to enable load balancing.  Load balancing made it so that when I connected to websites from my network, sometimes I would use the address instead of being contrained to the address.

digitap, your solution is exactly what I would have done if I had real static IP addresses.  However, the load balancing, which was required due to the two WAN interfaces, caused the problems that I needed help with.
address objects can contain urls.  since you don't have static ip addresses, sign up for dyndns and use the url for your address object.  thoughts?
i'm still not sure on what your final solution was.  also, you didn't provide any network specifics until the very last post.  als, your lack of response to expert comments is quite frustrating.  good luck!
Thanks for the points.
I didn't provide network specifics at first, but I was will to give them upon request.  I did not respond to you at first, because caskrist's first response provided the solution to the problem.  The solution to the problem as caskrist suggested was to use a custom route, with a lower metric than the default routes, that directs the outbound traffic to the desired interface and external IP address based on the internal network it was coming from.  I realize that I did not provide complete details, but even after providing complete details, you gave suggestions that were completly off base to the stated problem.  I stated in the original post that my inbound services were working.  Why would I need dyndns addresses if my inbound services were working?  Why would I need dyndns addresses at all?  I have "static" IP addresses in the fact that they do not change but due to the security policies of my ISP, they make me DHCP the addresses.  The even allow me to customize the reverse lookup names for my "static" IP addresses.  Not sure why you are so upset that after I recieved the answer to my question, I told the expert that he gave me the answer I was looking for and did not respond to someone that did not provide any additional insight to my problem.  I was nice enough to give you information after having said that I would give the points to someone else, and you still did not provide anything new.  And I don't think that it is my responsibility as the person posing the question to make sure that the expert with over a million points understands what I needed to do to solve my problem.
here, http:#a34873294, i ask several questions.  you never respond to those questions until i inquire about my post here, http:#a34875923.  i understand that you were on DHCP, but you also mention static.  it was just confusing and, as such, i offer solutions for someone who's on DHCP.  my point here was etiquette.  experts take their time to offer you solutions and ignoring them is rude.

i don't care about the's not EVEN part of this equation.  as i read through here, you don't outline what you did to resolve the problem.  it appears that caskrist, although his suggestions were right on, provided you bits of information and you figured it out on your own without fleshing it out here.  the whole point being problem/resolution.  someone looking for a resolution with the same problem as yours needs to find out HOW to fix it.  this is never explained fully here.  your last post explains it and puts it all together.  perhaps i'm just a moron, but, as you said, someone with over 1 million points MUST know what he's talking about.

sorry to junk up your question with the drama.  certainly, there must have been a better way to approach this and i apologize for that.