Link to home
Create AccountLog in
Avatar of jjspicoli
jjspicoliFlag for United States of America

asked on

adding new external IP to sonicwall interface AND defining specific host

I have a network I inherited with an EOL Sonicwall tz190  , the external IP has been RBLd due to some infected nodes on the LAN.

The ISP has informed me the client has 4 public IP's to use, what I want to do is add one of the unused IP's to the Sonicwall interface and create a rule/policy that will that will force all outbound traffic from the mail server to use the NEW CLEAN IP, and leave the rest of the LAN as is-

so it would be like this;

LAN IP (mail server) outbound traffic via public ip=  new.clean.ip
all other lan outbound traffic via public ip= original.tainted.ip

I also am seeking this solution because there are already hundreds of rules, objects policies, etc.. already in place that I would not care to re-do
Avatar of Carl Dula
Carl Dula
Flag of United States of America image

Follow the instructions in the following using SMTP. Be sure to look at and do the steps in the document referenced by "ALERT" first. smtp
Yep, just a nat policy where you set the translated source as the wan ip you want. All you need is an address object (which you already have since the mail server is accessible. I've done this with many things and it works great. Just use from the mail server to test.

Side note: the old ip may be listed in any spam services or other things your mail server works with, try to identify and change those at the same time
Avatar of jjspicoli


once I create the new nat policy for the mail server to send from the NEW IP, do  i need to update my mx records to point to the new ip, or is the new nat policy for out going traffic only?
You need to have your mx records point to the new ip if you want to use it for incoming mail as well.

Note that if you use SPF records you will need to change those to the new ip as well.

Also, make sure reverse dns is set up for the new ip, since many sites use that to verify mail from the domain is really sent by the domain.
That policy is outgoing only. To change the incoming you should just edit the address object probably called servername-public to the new ip
Also this is not enhanced os-
Oh, I only use enhanced os so I have no idea what the regular looks like. Sorry
Avatar of Carl Dula
Carl Dula
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I have just found out that they have a second ISP connected to their OPT1 port on the Sonicwall.

I think, and correct me if I'm wrong, that it would be easiest and quickest to just "tell the sonicwall to send outgoing traffic (smtp port25)  from Exchange ( via OPT1" this way i would not have to change MX records, only SPF and RDNS,

So how do i go bout making that change , without "breaking"  anything?

Please excuse my lack of knowledge, but this is the first sonicwall I have ever dealt with, and having no technical support is no picnic.

Rest assured that this device will be retired ASAP, but in the interim I'm stuck
Happy to report that my work-around worked,  I was able to set the outbound smtp traffic from the email server, to use the second ISP IP address  that was connected via OPT port- I did this using the route policies in the Sonicwall.
What to do depends upon how the Sonicwall is configured.

I don't have a Sonicwall with the standard OS , so you may have to search a bit.

Under Network -> Routing look for anything that has a service of SMTP. Please report the Source, Destination, Service, Gateway and Interface for any that you find. Hopefully there will only be one.
Look like you did it before I got to type the instructions. Nice work!
I still want to be able to add the second IP to the original interface,  as I never actually resolved the issue the way I wanted to.  I feel like i just got "lucky" that they happened to have a second ISP on the OPT port.

At the same time I don't want to "test / experiment" with someone's production environment.
Before you attempt to do that, I would consider the following.

1. Since device is EOL, are you planning to replace it?
2. If the RBL block on the ip or domain. Either is possible.
3. With 4 ip address, are you sure the others aren't being used for something you might not be aware of? Sounds like you might be getting the info a piece at a time.

IMHO you should consider leaving the setup as is, unless there is some reason you do not want to use the second ISP for email.

If you really want to attempt to add a second address on the the origianl ISP you have all the info above to do it.

If you have more questions, please post back.