Sonicwall TZ 105 configuration for Multiple LAN’s

I have a new Sonicwall TZ 105 that I need to configure with multiple LAN’s.  This is a continuation of the following question now that I have settled on the Sonicwall for hardware:

http://www.experts-exchange.com/Hardware/Networking_Hardware/Q_28204662.html

I would like some opinions as to whether or not the solution from the above question is the most ideal for the Sonicwall or if there is a better suited solution.  

I have spent a considerable amount of time reading through the Administrator’s Guide and watching tutorials so I do have a basic understanding of the device.  However, I’m looking for a basic outline of the steps I should take using Sonicwall specific language.
HankCashThe ManAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi HankCash,

First off great choice on the TZ 105 - its a great firewall...one of the best in the market for the sizing & price.

So as @aarontomosky said in his post (http:Q_28204662.html#a39386090) put the Comcast modem into "bridge mode".

Then use PortShielding to separate & assign the ports to each subnet and zone respectively.

Here's how you do it:

Your Default PortShielding setup should be: X0 (LAN), X1 (WAN), X2-4 (LAN), W0 (WiFi (if available)). So we are going to utilize X2 as your new LAN2 or whatever you are going to call it.

Login to the SonicWALL.

1. Unassign a PortShield Group

Go to Network > PortShield Groups
In the X2 name row click on Configure on the far right side.
Under PortShield Interface, select Unassigned.
Click OK.

2. Setup a New Interface

Go to Network > Interfaces
Click Add Interface...
This will popup the Add Interface dialogue box.
Zone: Create new Zone...
This will popup the Add Zone dialogue box.
Name: <type LAN2 or whatever you want to call it>
Security Type: Trusted
Select all the applicable Security Services you want to apply to this Zone.
Click OK.
Now you are back to the Add Interface dialogue box.
VLAN Tag: <10 or whatever you want...some like to match the same octet number e.g. 192.168.75.x, then they'd set this tag to 75>
Parent Interface: X2
Mode / IP Assignment: Static IP Mode
IP Address: <e.g. 192.168.75.x (this will be the Interface IP)>
Subnet Mask: 255.255.255.0 (depending on your IP class, etc.)
Comment: <any documenting, etc.>
Management: <select if you want to allow these services by default, e.g. HTTPS Management or Ping, etc.>
User Login: <you can leave unchecked for now.>

Now you have create a separate subnet and zone which are assigned to the X2 port. To protect the Zone & lock down the traffic to the Zone follow the steps below.

3. Lock Down Zones

Go to Firewall > Access Rules
You should find a Access Rule in the LAN > LAN2 Zone like this:
Action: Allow (*Change this to Deny)
From Zone: LAN
To Zone: LAN2
Service: Any
Source: Any
Destination: Any
Users Allowed: All
Schedule: Always on
Comment: <anything you want to document the rule>
Click OK.

Do the same for the LAN2 > LAN Access Rule. This will deny all traffic from LAN > LAN2 and LAN2 > LAN.

Let me know if you have any questions!
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HankCashThe ManAuthor Commented:
Thank you.  I will get to trying this as soon as I can- today or tomorrow.  I will let you know how it goes.
0
HankCashThe ManAuthor Commented:
When I go through the setup that is outlined I don't have any access through the port including pinging(which I assigned) or accessing the WMI.

If I configure the port direclty (no VLan), it works as I would expect.  I assume that I am missing a step after configuring the port with the VLan.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Blue Street TechLast KnightCommented:
What part are you having problems with exactly?
When I go through the setup that is outlined I don't have any access through the port including pinging(which I assigned) or accessing the WMI.
I don't know what this means? Are you talking about the Zone Interface configuration? If so, forget about access...we can assign whatever services you want to run here later after the config is complete.
If I configure the port direclty (no VLan), it works as I would expect.  I assume that I am missing a step after configuring the port with the VLan.
What do you mean directly...through PortSheilding? If so, you cannot assign a Zone that way...you have to follow the steps how I have laid them out.

What is the firmware version you are using?
0
HankCashThe ManAuthor Commented:
I'm sorry for the vague update.

The firmware is SonicOS Enhanced 5.8.1.6-3o.

I had no problem following your directions.  Upon completion of the steps 1 & 2, I changed the IP of my PC to match the newly configured interface(X2:V1) and plugged the Ethernet into the it but I could not pass any traffic to/through the Sonicwall.  I didn't do step 3, yet.

After that didn't work, I configured a different interface(X3) by clicking on the "Edit" button on the "Interfaces" screen and configured the interface.  The difference vs clicking the "Add Interface" button as you instruct is that it does not create a VLan.  However, using this configuration I could ping the router, access the WMI and browse the internet.

Am I missing something that needs to be done to the VLan configuration?
0
Blue Street TechLast KnightCommented:
I see the issue. It should *not* be setup as a VLAN child under X2. It should be defined as X2. Also make sure you have a DHCP scope setup for X2 once you have change it so its a VLAN with no parent assigned to X2. Following my instructions, I'm not sure how you arrived at creating a VLAN under X2.

Let's back up a sec...

Were you able to un-assign X2 from the PortShield Group successfully? If yes, move on to the next question below otherwise, explain what happened.

Were you able to create a Zone (named LAN2 or something else) successfully? If yes, move on to the next question below otherwise, explain what happened.

Were you able to create an Interface successfully? If yes, move on to the next question below otherwise, explain what happened.

If it has failed for whatever reason at the Interface stage, just delete it. Deleting the Interface will not affect the PortShield Group un-assignment or the Zone itself.

Let me know how it goes!
0
HankCashThe ManAuthor Commented:
I seem to have it working without using VLan's.  Can anyone explain to me what the advantage,if any, there is to using VLan's?
0
Blue Street TechLast KnightCommented:
I think you might be getting confused on the terminology here and may actually have it setup correctly.

Do me a favor, take a screenshot of your Network > PortShield Groups, Network > Zones & Network > Interfaces pages.

This way I will be able to see what you have configured and if it correct!

P.S. by assigning a second LAN to the port you are creating a VLAN.
0
HankCashThe ManAuthor Commented:
Here are the screenshots of Interfaces and PortShield Group.

I am assigning each LAN to a distinct port.  Let me know if this is way off target.
PortShield-Groups.jpg
Interfaces.jpg
0
Blue Street TechLast KnightCommented:
Good Job!
Assuming X2 & X3 are assigned to Engineering & NOC respectfully (or flip flopped)...its PERFECT!

So now you have 1 LAN (X0) and 2 VLANs which are X2 & X3.

Traffic appears to be flowing on both VLANs too.

Let me know if you have any other questions. Thanks!
0
HankCashThe ManAuthor Commented:
Yes, I am able to browse from computers on each segment.  I also configured ports on each LAN/VLAN with rules to allow Terminal Services connections and those were successful as well.  

Thanks for your help.  Now I need to dial in the configuration for the needs of each LAN/VLAN.  More questions will probably follow.
0
Blue Street TechLast KnightCommented:
Your welcome!

What type of configuration are you looking to do? Are you guys filtering outbound traffic?

How you have it setup is pretty straight forward. All traffic inbound should be blocked and all traffic outbound should be allowed by default. If you don't want each Zone to communicate to each other, I'd lock them down as described in section #3 here: http:#a39496851.

If the questions you have are more complex in nature I'd suggest setting up another question for them. If you let me know the question is I can hop over to it and answer it there.
0
HankCashThe ManAuthor Commented:
Thanks again for all your help.
0
Blue Street TechLast KnightCommented:
Your welcome...my pleasure! I'm glad I could help and thanks for the points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.