Solved

Sonicwall TZ100W in Multitenant setup

Posted on 2011-02-10
13
1,141 Views
Last Modified: 2012-05-11
I have a Sonicwall TZ100W that I am using to share an Internet with another office.  The ISP provides quasi static IP addresses(technically long lease DHCP addresses), so I have had to use two ports to get two WAN IP addresses, as both I and they have Small Business Servers.  I have been able to get the inbound services working, so my email comes to me and thiers to them, but to be able to do this I had to enable load balancing.  This means that both internal networks are sharing both external interfaces, but I would like to limit my computers to use one of the external IP addresses and the other network to use the other external IP address.  Is this possible?
0
Comment
Question by:SterlingMcClung
  • 6
  • 4
  • 3
13 Comments
 
LVL 33

Expert Comment

by:digitap
Comment Utility
does the other office care to use your sonicwall or would they mind using a different firewall?  also, to clarify, you do have more than one public IP address?

if yes to both, then you can do this two ways.  you could put one of the interfaces on the sonicwall in transparent mode and let a linksys (or whatever) get one of the public IP addresses and your sonicwall to get one of the public IP addresses.

OR

install a switch and connect the linksys (or whatever), sonicwall and internet router to it.  give your sonicwall a public IP address and the linksys a public IP address.


thoughts?
0
 
LVL 6

Accepted Solution

by:
caskrist earned 500 total points
Comment Utility
I think it can be done with sonicos enhanced with route policies. You can force traffic coming from a specified lan subnet to go out through the "secondary default gateway" for example. It is worth a shot.
0
 
LVL 7

Author Comment

by:SterlingMcClung
Comment Utility
caskrist - that is exactly what I needed to do.  I had been trying to do this with the NAT policies, and it just was not working.  I created a route from my network to anywhere through my external address with a lower metric than the other rules, and now my network is only using that address.  I will create the route for the other office after hours just to make sure I don't interupt them.  I will wait until it succeeds before I assign points.

0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
any feedback for my post?
0
 
LVL 7

Author Comment

by:SterlingMcClung
Comment Utility
The other office wants to use the security features of the sonicwall and yes I have more than one public IP address.  If I understand your solutions, they both mean that the other office does not get to take advantage of the sonicwall, which is not what I wanted.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
one step at a time.  i just needed more clarification on the hardware layout potentials.

as long as you have more than one public IP bound to your WAN interface you can have two exchange servers on your private network.  i would put the other office on say, 192.168.1.0/24 on X3 and your office say, 192.168.2.0/24 on X0.  their switch goes to the X3 interface and your switch goes to the X0 interface.  run your public server wizard for exchange services and point each public IP to their respective private IP servers.  both subnets get the benefit of using the sonicwall.

then, go into your firewall rules and deny x3 <> x0.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 6

Expert Comment

by:caskrist
Comment Utility
It is not only about inbound traffic, but also for outbound traffic. Office 1 uses IP X.X.X.X for inbound and outbound traffic and Office 2 uses IP Y.Y.Y.Y for inbound and outbound traffic.
0
 
LVL 7

Author Comment

by:SterlingMcClung
Comment Utility
Caskrist is correct.  I already had the inbound services working properly, and if you notice in the original post, I mentioned that I had to DHCP the IP addresses, which means I can have the two external addresses on the same interface.  Here is the setup: (IPs changed)

X1 - 4.2.2.1
X2 - 192.168.50.2 - connected to another router that has 4.2.2.2
X3 - 192.168.5.1
X4 - 192.168.10.1

Because I now had two WAN interfaces I had to enable load balancing.  Load balancing made it so that when I connected to websites from my network, sometimes I would use the 4.2.2.1 address instead of being contrained to the 4.2.2.2 address.

digitap, your solution is exactly what I would have done if I had real static IP addresses.  However, the load balancing, which was required due to the two WAN interfaces, caused the problems that I needed help with.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
address objects can contain urls.  since you don't have static ip addresses, sign up for dyndns and use the url for your address object.  thoughts?
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
i'm still not sure on what your final solution was.  also, you didn't provide any network specifics until the very last post.  als, your lack of response to expert comments is quite frustrating.  good luck!
0
 
LVL 6

Expert Comment

by:caskrist
Comment Utility
Thanks for the points.
0
 
LVL 7

Author Comment

by:SterlingMcClung
Comment Utility
I didn't provide network specifics at first, but I was will to give them upon request.  I did not respond to you at first, because caskrist's first response provided the solution to the problem.  The solution to the problem as caskrist suggested was to use a custom route, with a lower metric than the default routes, that directs the outbound traffic to the desired interface and external IP address based on the internal network it was coming from.  I realize that I did not provide complete details, but even after providing complete details, you gave suggestions that were completly off base to the stated problem.  I stated in the original post that my inbound services were working.  Why would I need dyndns addresses if my inbound services were working?  Why would I need dyndns addresses at all?  I have "static" IP addresses in the fact that they do not change but due to the security policies of my ISP, they make me DHCP the addresses.  The even allow me to customize the reverse lookup names for my "static" IP addresses.  Not sure why you are so upset that after I recieved the answer to my question, I told the expert that he gave me the answer I was looking for and did not respond to someone that did not provide any additional insight to my problem.  I was nice enough to give you information after having said that I would give the points to someone else, and you still did not provide anything new.  And I don't think that it is my responsibility as the person posing the question to make sure that the expert with over a million points understands what I needed to do to solve my problem.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
here, http:#a34873294, i ask several questions.  you never respond to those questions until i inquire about my post here, http:#a34875923.  i understand that you were on DHCP, but you also mention static.  it was just confusing and, as such, i offer solutions for someone who's on DHCP.  my point here was etiquette.  experts take their time to offer you solutions and ignoring them is rude.

i don't care about the points...it's not EVEN part of this equation.  as i read through here, you don't outline what you did to resolve the problem.  it appears that caskrist, although his suggestions were right on, provided you bits of information and you figured it out on your own without fleshing it out here.  the whole point being problem/resolution.  someone looking for a resolution with the same problem as yours needs to find out HOW to fix it.  this is never explained fully here.  your last post explains it and puts it all together.  perhaps i'm just a moron, but, as you said, someone with over 1 million points MUST know what he's talking about.

sorry to junk up your question with the drama.  certainly, there must have been a better way to approach this and i apologize for that.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now