Solved

Add 2nd LAN Subnet to Sonicwall Enhanced

Posted on 2013-02-04
26
1,830 Views
Last Modified: 2013-07-05
I have Pro 2040 with Enhanced OS with following setup

Interface Settings



      Name      Zone      IP Address      Subnet Mask      IP Assignment      Status      Comment      Configure
      X0      LAN      10.0.0.1      255.255.255.0      Static      100 Mbps full-duplex      Default LAN       
      X1      WAN       70.166.xxx.114      255.255.255.252      Static      100 Mbps full-duplex      Only for incomin...       
      X2      WAN       99.72.xxx.145      255.255.255.248      Static      100 Mbps full-duplex      ATT DLS MODEM       
      X3      Unassigned      0.0.0.0      0.0.0.0      N/A      No link      


I have an Asterisk server running on a separate LAN attached to a separate switch , attached to DSL Modem ,, i have been using that for phones only

Asterisk server have two NIC , one is setup for WAN / external IP , a static one

2nd NIC is setup as internal , It uses internal DHCP server on the same box to assign IP address to the phones ,,

I have this on two NICs on Asterisk Box

eth0  184.177.xxx.194
            255.255.255.224
Broadcast  184.177.85.223

eth1   192.168.1.4
          255.255.255.0
Broadcast  192.168.1.255

DHCP server on Asterisk box (FreePbx, PBIF) is setup up as

Network address:   192.168.1.0   /  255.255.255.0

Add Range               192.168.1.100/254


         
I want to discard DSL Modem and attach this phone LAN to X3 port on the Sonicwall

I also intend to delete X2 ,

New setup should be

X0 , LAN
X1, WAN
X3, LAN

Now how i go about doing this ?

Thanks for your help .
0
Comment
Question by:Slider_ict
  • 13
  • 13
26 Comments
 

Author Comment

by:Slider_ict
ID: 38855585
anyone ? i have some rough idea how to do it and i am not even an expert :)
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 38855646
You just assign x3 the ip/network you want
Add rules for x3 to wan
Add dhcp if you want
Run public server wizard if you need anything coming in to the asterisk
0
 

Author Comment

by:Slider_ict
ID: 38855690
Yes you are right, that the general idea i have but i am not expert when it comes to detail for sonicwall
for example , x3 would have the same ip netmask gateway as eth1 or ?

what should i change in asterisk box since its wan address(etch0) will be terminating at x1, a new static address

Things like that
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 38855715
Ill have acces to a sonicwall running enhanced 5.8 in a bit and ill give you more details
0
 

Author Comment

by:Slider_ict
ID: 38855745
Thanks
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 38856235
ok, start at network->zones
make a new lan2 or whatever zone
network->interface
assign x3 to lan2, select "static ip" and check whatever ping and management options you want
this should make the appropriate address objects for lan2 network and lan2 primary ip (this is the gateway for stuff on this network
The routing and firewall stuff may be automagically created for you, but if not, now you go to network->routing and make lan2->wan, and the same with firewall rules. If you want lan2-lan you can do that as well. If you have vpn or dmz stuff, you have to add those as well.
0
 

Author Comment

by:Slider_ict
ID: 38856268
for starters ,, would i use this info for eth1 for defining x3?

eth1   192.168.1.4
          255.255.255.0
Broadcast  192.168.1.255

If yes............... then how would i define eth1 in new setting ?

does that make sense ?
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 38856300
yes

zone: lan2
mode/ip assignment: static ip mode
ip address: 192.168.1.4 (which is weird, usually its 1.1 but thats what you have now so stick with it)
subnet mask: 255.255.255.0
it automatically does the broadcast, you don't have to set that.

then in network->dhcp server click add dynamic
range start:  192.168.1.100
range end:  192.168.1.254
default gateway:  192.168.1.4
subnet mask: 255.255.255.0
check interface prepopulate: lan2
also set your dns/wins stuff
if you need any dhcp options for your voip to work right, add those too
hit ok
0
 

Author Comment

by:Slider_ict
ID: 38856327
ok,, after these settings i should disable dhcp server in linux/asterisk box?

what do i need to do for eth0 ? we have 100 static ip addresses coming in at x1 wan interface, i want to use one of these ........... and tie it to phone server
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 38856384
id hold off on even plugging in the asterisk box to the sonicwall until you can test. But yes, you want to disable the asterisk dhcp server before plugging into a network with a dhcp server.

if you want to make the asterisk available from the internet, use the sonicawall public server wizard (top right corner of the screen). Just choose "web server" for the type and it will make all the address objects and rules you need. Then when it's done, go mess with the services group it created and remove the web stuff, and put in whatever services you want outword facing.
0
 

Author Comment

by:Slider_ict
ID: 38856432
ok, so i can set sonicwall without having to attach asterisk yet?

like i said phone system is on another lan and have a separate switch , attached to a dsl modem
when i am done i am going to take that wire going into dsl modem and attach it to x3?
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 38856539
yes you can setup the sonicwall without affecting anything. Then I'd suggest plugging in a spare laptop (dhcp) to the x3 port and see if it gets the right range, can ping the sonicwall, can get to the internet, etc...

the problem with the cutover is that we are removing the gateway role from the asterisk, so you either need to give the asterisk a new ip (meh), or switch to the gateway being 1.1 and leave the asterisk as 1.4 (probably easier and better in the long run).
0
 

Author Comment

by:Slider_ict
ID: 39246490
i have one more question , let me get some data first :(
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39246692
Sure, I'm still around :)
0
 

Author Comment

by:Slider_ict
ID: 39272001
sorry, i have been busy with lots of other things :)

ok, here is the current scenario

I have upgraded my fiber line to 20 MB , both up and down , i still have cable modem as backup but i want to get rid of that , in last 5 years our fiber line have gone down once for a little bit ..........

so i want to install a new pbx server on the same network as our regular LAN , which is 10.0.0.1 ,, default gateway , sonicwall, is at 10.0.0.1

I think i can add second subnet in our Domain Controller or may be do it at sonicwall ?

Let me know how to proceed

Thanks
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39272163
Definately do it at the sonicwall as any traffic that goes from one subnet to the other has to go through a layer 3 device. Unless you have layer 3 switches, that means the sonicwall.

If your dc does dhcp and you want a dhcp scope for the other subnet then you need to add that there. That can get tricky so feel free to ask for help with that but you may want to start a new clear question when its that time.
0
 

Author Comment

by:Slider_ict
ID: 39272172
i want to keep it simple , i have a switch that is only connected to phones and pbx, i can add that to unassigned X3 on sonicwall ?

lets just proceed that way
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39272215
I would suggest setting up x3 as a different subnet, say 10.0.10.1 as the IP of the sonicwall for that interface (subnet mask 255.255.255.0). Name it lanvoip or something.

This allows you to easily set firewall rules to allow lanvoip to wan, and also allow something from your regular lan to talk to lanvoip if you need (say http or rdp to your voip server or something).

By keeping it off your lan, you keep the chatty phone broadcast traffic off your lan, and it's better security as well. Most people use vlans for this, but since you have a physically seperate switch, no need to make it complicated.
0
 

Author Comment

by:Slider_ict
ID: 39272235
as a first step, i need to install pbx server ,, should i configure sonicwall first and then instal/setup this server ........ or install/setup on regular lan and then change it to work under new subnet?

what about the DNS and DHCP when configure X3 ?
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39272453
first setup sonicwall
then setup pbx server as 10.0.10.2 or something.

It's your choice to use the pbx for dhcp, I don't know the specific benefits of the sonicwall or the pbx doing dhcp.

if you use 10.0.10.1 as dns for the phones, that will use whatever the wan dns of the sonicwall is set to. if you want to use a dns server on 10.0.0.x you can do that too, just add the firewall rules.
0
 

Author Comment

by:Slider_ict
ID: 39276165
ok i started on this , i have a switch connected to X3 , with only two devices on that LAN
One is PBX server and the other one is an IP Phone

I had to turn on DHCP in Sonicwall  for X3,  network card was not working during installation of PBX server ,  here is what i did
https://docs.google.com/a/arthritis-research.org/file/d/0B0ra3nAVsmOJWjAtZGN5ck9Kc2c/edit?usp=drivesdk

i added google dns servers , also added our internal dns server

Now from the PBX server commad line, its  a CentOS , i can ping internally i.e. ip devices on X0 LAN ,  using both ip address or hostname ,,

But i can not ping outside , like if i try to ping google.com i get this

10.0.0.1 icmp-sq=1 redirect host (70.166.2XX.XXX)

10.0.0.1 is the default gateway on X0 ,

Where do i need to fix this so it works properly?

Thanks
0
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 500 total points
ID: 39276706
network->zones make lanvoip
network->interfaces configure x3 to lanvoip
if you have internal dns, only use that. It should have root hints enabled.

Now that it's a different zone, you can configure the firewall to allow hitting your internal dns server and wan allowing ip and ports or whatever you need. Generally you don't give blanket access to your lan.

you will also have to modify your dhcp to hand out ip addresses on x3 subnet
0
 

Author Comment

by:Slider_ict
ID: 39302300
one more quick question , i assigned public ip address of 70.xx.xx.xx to pbx server in LANVOIP zone, mapped it to internal ip address of 10.0.10.233 ,,
i need to register this machine with the service provider , which ip address would i give the service provider, our public ip address of the WAN or the one assigned to this machine?
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39302449
You probably have more than one wan ip on your connection right? Generally you leave the main ip as the sonicwall and use your other wan ips to be forwarded to different devices like a pbx. Personally I make a LAN ip for my stuff and use the public server wizard to do the rest. I choose web server and then after it makes the groups and stuff just edit the address object group to have the services you want.
0
 

Author Comment

by:Slider_ict
ID: 39302656
we have more than one wan ip, i think :)
do you have private email i can use to give me some information ?
or email me at mir@ndb.org
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39302825
You don't need to give me specifics. Put in your wan ip and subnet mask here
http://www.subnet-calculator.com/
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now