We help IT Professionals succeed at work.

Multiple LAN IPs on a single interface on Sonicwall Appliance

tsukraw
tsukraw asked
on
Hey Experts,
I am working on replacing a watchguard with a sonicwall and seem to have hit a roadblock i cant figure out.  On the watchguard i was able to have a Primary IP say 192.168.10.254 as the LAN IP.  But i was also able to have a secondary IP of like 192.168.150.254.  I for the life of me cannot figure out how to do this.
There will be devices on the 192.168.10.254 network that get IPs from DHCP from a server which should work fine.  But then there are devices that are statically configured with 192.168.150.x addresses and the gateway of 192.168.150.254 that cannot communicate at all with the sonicwall.  

Any ideas or how-to on how to accomplish this?
Comment
Watch Question

What model Sonicwall & what SonicOS?  Are you using VLANs?

Author

Commented:
TZ210
Version 5.8.0.10

No Vlans.
Hmm, my experience is limited to the previous generation of appliances like 2040 and 3060.  

It appears to me that in order to accomplish what you are describing on the TZ210, you'd need to use VLANs.

Quoted from Here:

Virtual Local Area Networks (VLANs) can be described as a ‘tag-based LAN multiplexing technology’ because through the use of IP header tagging, VLANs can simulate multiple LAN’s within a single physical LAN. Just as two physically distinct, disconnected LAN’s are wholly separate from one another, so too are two different VLANs, however the two VLANs can exist on the very same wire. VLANs require VLAN aware networking devices to offer this kind of virtualization – switches, routers and firewalls that have the ability to recognize, process, remove and insert VLAN tags in accordance with the network’s design and security policies.

Maybe someone else will chime in with better info for you...
Yes, you would need to use VLANs. That kind of functionality was removed back during the switch from Standard to Enhanced OS for SonicWALL. What you are essentially doing with the Watchguard *is* VLANs, but without the tags. SonicWALL requires the tags.
Do you have an unused interface on the firewall that can be assigned to zone LAN?  That might work.

Author

Commented:
I will explain what i was doing and you guys can tell me the best way to accomplish it.  I am very new to Sonicwall so i dont know many of its limits and strengths.

What i have a a VOIP phone at 192.168.150.10.
There was a VPN connection from my office to the 192.168.150.x subnet which is at my house.  This allowed for the VOIP phone to connect to my office where as nothing on my home personal network of 192.168.10.x could ever see anything at the office.
Yes i do have a open interface on the sonicwall.  Would it bet better to configure that interface as 192.168.150.254 and connect it to the same physical switch?  Again this is my home network so i do not have a switch that handles Vlans and my office is not located in the same room as the sonicwall so i cannot run a wire from the phone to the switch either...
I can't predict if that will work but it seems worth a try.  You might need to set up a static route between the two subnets on the firewall.
Top Expert 2010
Commented:
What you are asking is quite possible. I've done it before without the use of VLANs. See the Sonicwall KB below.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7711
Top Expert 2010

Commented:
Further, if you didn't want to change the subnet, then you'd use my solution above. However, you could use the available interface and use the subnet that VOiP is using.

Author

Commented:
Ok so following the document you listed....

Example #1 Default NAT Mode with secondary subnet
1. Create Static ARP entry for the gateway address of secondary subnet on the LAN interface
2. Create address object for secondary subnet
3. Add static route for the secondary subnet

Step 1)
I would make a static ARP entry for 192.168.150.254 that has the MAC address that is associated with the 192.168.10.254 interface?
Top Expert 2010

Commented:
If you want the gateway to be different than the sonicwall, then your need to specify it. Otherwise, the .254 IP will bond to the sonicwall LAN interface as the gateway.

Author

Commented:
I want the gateway for the 192.168.10.x network ti be 192.168.10.254
and the 192.168.150.x network to be 192.168.150.254
Top Expert 2010

Commented:
Cool. You should be able to use the default setting when creating the arp entry.

Author

Commented:
Ok i have looked at this at least 10 times and i am almost positive i have it identical but still no go...Do you see anything wrong?

ARP:
IP=192.168.150.254
Mac=Mac of X0
Published=YES

Routing:
Source = ANY
Destination 192.168.150.0/24
Service=ANY
Gateway=0.0.0.0
Interface=X0
Metric=20
Should the Gateway IP be 192.168.150.254?

Author

Commented:
Following the guide they used 0.0.0.0 but i thought the same thing.  I tried it both ways and same result...
I hate shotgunning but what about 192.168.10.254?

Author

Commented:
Same thing.  Just tried with 192.168.10.254

Author

Commented:
Ok got it working....

What is the difference between address objects under Network and address objects under firewall?
If i put it under Network / Address Objects.
192.168.150.0/255.255.255.255      Network LAN

If it is under network it does not work.   If it put it in address objects under the firewall tab exact same settings then change the routing destination to that one it works just fine.  I am 100% positive they are identical.

So it is working now but i am really curious why it doesn't work under the one.
Top Expert 2010

Commented:
Setting the gateway to 0.0.0.0 is indicating a default gateway on the sonicwall with 192.168.150.254 as the secondary IP address for the X0 interface.

That is unusual as they are identical. They place them in both places to make things easy. I wonder if perhaps you're encountering a bug within the firmware you are currently using. You might confirm your firmware is up to date.

So, to clarify, you were able to add the secondary IP subnet to your LAN interface? Have you been able to confirm proper function with your VOiP hardware?