Sonicwall NSA 2400 Portshield

What happened to Portshield? We use the TZ series primarily, but recently purchased an NSA 2400 for our office. I need ports X2-X5 to be a separate LAN2 with a separate IP range. I do not want to use another switch to connect 3-4 servers together and then go through X2. I want to plug each server into X2, X3, X4 and X5, they all be able to see each other, but NOT the LAN and use the same gateway such as 192.168.50.1. Possible?
CUBLA1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CUBLA1Author Commented:
Ok the last part was confusing. I meant, they all need to share their own gateway 192.168.50.1 that is separate from the LAN. LAN gateway is 192.168.1.1 and LAN2 gateway will be 192.168.50.1. I cannot bridge more than two ports. Portshield seems to be gone. So how to I add member interfaces together to create a LAN2 off the sonicwall directly? This used to be easy!
convergintCommented:
There is no portshield on the NSA 2400 unfortunately and Sonicwall says that if you need more than two bridged interfaces you need to use transparent mode.  The stupid thing is that transparent mode is only for WAN bridging to the LAN subnets.  I might be missing something but it doesn't look like that will work in your case.  You could try configuring 192.168.50.1 to be a WAN port on X2 and then enable transparent mode on the rest of the interfaces.  In theory it should work but you would also need to open or disable the firewall on that X2 port to make it behave like a LAN port instead of a WAN port.  The transparent mode guide is here: http://kb.guru-corner.com/question.php?ID=297

However, you might be able to do this with routes and assigning each LAN2 port a static ip with a subnet mask of 30.  It is not pretty and I have no idea if it will actually work until you test it.

For example, you could assign the following:

X0 - LAN Zone - 192.168.1.1/24
X1 - WAN Zone
X2 - LAN2 Zone - 192.168.50.1/30 - assign server1 to ip address 192.168.50.2
X3 - LAN2 Zone - 192.168.50.5/30 - assign server2 to ip address 192.168.50.6
X4 - LAN2 Zone - 192.168.50.9/30 - assign server3 to ip address 192.168.50.10
X5 - LAN2 Zone - 192.168.50.13/30 - assign server4 to ip address 192.168.50.14

Then create new routes for X3, X4 and X5 to reach X2.

For example,
Source - X3 Subnet, Destination - X2 IP, Service - Any, Gateway - X2 IP, Interface - X2
Source - X4 Subnet, Destination - X2 IP, Service - Any, Gateway - X2 IP, Interface - X2
Source - X5 Subnet, Destination - X2 IP, Service - Any, Gateway - X2 IP, Interface - X2

It really seems silly that a simple thing like bridging more than two ports are not allowed and as far as I can tell there's no easy like like portshields/vlans on the NSA 2400.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CUBLA1Author Commented:
I agree with everything you wrote and had pretty much come to the same solution / conclusion. I find it dirty and unnecessarily complicated. Why in the world would they take something so simple away? It works great on the TZ series! I see on the NSA it still has the column for "members" yet doesn't allow you to actually assign members to zones?? I would love to know their reasoning behind removing this option for this model. Is this all NSA's? For a firewall that is three times the cost of a TZ you would think it would protect against STD's!! Never would I have thought it wouldn't provide a service already being offered with lesser models. I must say I've been using Sonicwall for 20 years and this is the first time I'm actually disappointed. I'll wait a day or so before awarding points just to make sure someone doesn't come along smarter than the two of us. Anybody?  By the way, I have a few clients using NSA 240's and they have the Portshield option. Older model? Firmware fubar?
convergintCommented:
I've been using them for over 7 years and still love them but I'm lucky in that I have layer 3 Procurve switches behind the Sonicwall where I can do whatever I want.

It looks like more of a marketing decision in that they probably feel that anyone able to purchase a NSA 2400 and higher would be a enterprise client and would typically have L3 switches at their disposal.  To be honest, I really miss our Pro 1260s, they were perfect for our smaller offices with the 24 LAN ports that could be portshielded.
Blue Street TechLast KnightCommented:
Just an FYI... PortShielding Groups exists!!! Several months back SonicWALL released PortShielding in their 6.1 SonicOS leg for NSA appliances plus a bunch of other cool items like Switching, VLAN trunking, L2 Discovery, Link Aggregation and Port Mirroring to name a few...!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Virtual Server

From novice to tech pro — start learning today.