?
Solved

Zone based network with DMZ, Sonicwal TZ205, 2Wire 3800 HGV, Netgear WNDR 3700

Posted on 2014-03-04
26
Medium Priority
?
1,149 Views
Last Modified: 2014-03-14
I have an established network scheme that I needed to add a DMZ zone too for gaming purposes (Xbox, ps4 etc..) Due to NAT  policy issues I was having with the Xbox 360. I have a Sonicwall TZ 205 behind a 2Wire 3800 HGV-B and everything is able to access the WAN but none of the devices can see one another.. I have a media server (Synology DS213) that I would like to stream movies from but , neither the Xbox nor the PS4 can communicate. When I try to scan the network for computers from the Xbox, the Synology comes up in the list but, I cannot connect. I also have a WNDR 3700 set up as a wireless access point with the same issue.

My Lan is using port / zone X0 on the sonicwall with the 192.168.1.xx scheme. Subnet mask 255.255.255.0

My DMZ is using port / zone X2 on the sonicwall  with the 10.10.0.xx scheme. Subnet mask 255.255.255.0

The WNDR is plugged in to a switch which is on the X0 zone but, is using 10.0.0.1. Subnet mask 255.255.0.0

The synology on the X0  zone as well with a 192.168.1.xx scheme.

Maybe it's just that the subnet masks are conflicting or class A networks cannot communicate with class C networks. Or... maybe I just have it hosed up.

The 2 wire has it's own firewall that I cannot turn off and has a dmzplus zone set up for the WAN IP.

Any help that could be provided would be fantastic.

Thank you,

Shawn
0
Comment
Question by:qmeshawn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 8
  • 2
26 Comments
 

Author Comment

by:qmeshawn
ID: 39904925
I have been doing some more research and it seems that I may be able to bypass creating a DMZ in the 2wire but, I need a public IP for my Sonicwall.. Make sense?
0
 

Author Comment

by:qmeshawn
ID: 39908118
I am willing to provide screen shots and more detail if that is what is causing the lack of response.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39912772
To leave a subnet/mask the traffic goes to a layer 3 device (sonicwall). However since the sonicwall doesn't know about one of your x0 subnets since you have two, it can't help.

If you setup all the subnets to interfaces in the sonicwall individually, then you can communicate across. However xbox and some other things rely on multicast which is another few steps to work across zones.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 30

Expert Comment

by:masnrock
ID: 39915221
None of your subnets conflict in terms of the IP addresses. Did you make sure that the subnets are allowed to communicate with each other. I'd also set up the third subnet on the Sonicwall rather than on the switch.
0
 

Author Comment

by:qmeshawn
ID: 39929946
I actually changed the DMZ zone on X2 to use 192.168.2.X  scheme, forwarded all of the ports listed on this knowledge base article:

https://www.sonicwall.com/us/en/support/2213.html?fuzeurl=https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=3956

And still get moderate NAT on the DMZ and get kicked out of Xbox live consistently. I am currently using the uverse internet service  which causes a "router behind a router" scenario, and thought that maybe that was the culprit so, I actually had Comcast cable internet installed thinking that would solve my problem. Nope.. Trying to set up the comcast service has been a nightmare beyond the scope of my imagination.

I switched back to uverse (both services are still active) for now because at least it is workable. I feel that I am trying to accomplish a very basic task and can't seem to accomplish it. I have been on support with Sonicwall for hours to no avail. Everyone just points me to someone else. To say that I am at my wits end is a massive understatement.

I simply can't believe that no one has run across this before with so many sonicwall appliances in play.

I just need some kind of direction as to where to go next.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39930088
here is what I would do with your situation:
make one flat network zone behind the sonicwall. There is absolutely no reason to run a DMZ. If you need port forwards, use the public server wizard (just choose webserver). It will make the address objects and groups, then you just add the ports/services you want to the created group.
0
 

Author Comment

by:qmeshawn
ID: 39930100
@ Aaron,

I tried running everything from the Lan (X0) interface without having to create a DMZ but couldn't get the desired result. Basically, the same thing I am experiencing now with the DMZ... So, maybe you are right, the DMZ isn't helping the situation. However, I have forwarded the required ports and tested them through the sonicwall interface that shows the ports forwarding but the Xbox is resetting the packets.
0
 

Author Comment

by:qmeshawn
ID: 39930166
There is no way that I know of to log in to the xbox to see what is going on internally so I don't know what it's trying to do or not do. Maybe the xbox needs to initiate the ports opening which is why I can't ping the port using http://ping.eu/. I am at a complete loss on this one. I set up an FTP server (Nas) and RDP to my desktop using port forwarding with no issues. I just can't make this happen with the Xbox. I have connectivity but simply get kicked out due to the NAT issues.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39930186
0
 

Author Comment

by:qmeshawn
ID: 39930245
Great thread!! I will try it and respond!
0
 

Author Comment

by:qmeshawn
ID: 39930265
Unfortunately, I haven't purchased the add on module that allows granular application management so this thread won't help me.
0
 

Author Comment

by:qmeshawn
ID: 39930268
However, I did create the DMZ and had it allow any and all connections from the WAN to the DMZ and from DMZ to WAN which shouldn't block ANY connections but still, no dice.
0
 

Author Comment

by:qmeshawn
ID: 39930277
I wanted to also add.. I checked continous NAT in Voip which got me from strict to moderate NAT. And, checked multicast support on all interfaces.
0
 
LVL 30

Expert Comment

by:masnrock
ID: 39930291
Do you have a static or dynamic IP from AT&T?
0
 

Author Comment

by:qmeshawn
ID: 39930301
I have a leased Dynamic IP. It hasn't changed in over a year.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39930437
did you add all the firewall forwards from the thread?

this one has them listed too
http://portforward.com/english/routers/port_forwarding/Sonicwall/TZ-170/Xbox_Live_360.htm
0
 

Author Comment

by:qmeshawn
ID: 39930438
I forwarded all of them. UDP and TCP alike. I created a service group to house them all and still getting kicked out of live. I tested to see if the ports were forwarding in the router and they are forwarding to the static ip I set up on the xbox but, no dice.
0
 

Author Comment

by:qmeshawn
ID: 39930439
The Xbox seems to be resetting the packets / denying them
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39930458
does having it as "moderate nat" work or is some functionality still missing?
0
 

Author Comment

by:qmeshawn
ID: 39930463
I can log into xbox live, play, chat etc.. but get kicked out randomly and then cannot sign back in.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39930467
So it looks like the real problem is that the xbox uses a TON of undocumented ports and only really works well with upnp which no business grade firewall will have.

http://www.experts-exchange.com/Hardware/Personal_Electronics/Gaming_Consoles/Q_27829047.html
0
 

Author Comment

by:qmeshawn
ID: 39930477
I belive you are correct regarding upnp. However, there are three accepted solutions on that thread.. which one worked?

I haven't tried this...

"I think transparent mode is the last line of defense. If this doesn't work, I'm sticking to my and MASQUERIAD's belief SW will not support uPnP, which, I believe, is what the xbox is wanting to utilize for the different services. MASQUERAID commented already on setting up transparent mode. The steps can be found here:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979

For this to work you'll need more than one public IP address assignment from your ISP. Then, add the bridged WAP, give the xbox a public IP with the respective settings, and see what happens."
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39930487
if you have a block of ip addresses from your isp, you can let one go to the sonicwall and let one go right through to the xbox, every port with no firewall. Basically puts your xbox outside your network
0
 

Author Comment

by:qmeshawn
ID: 39930496
Maybe this is a dumb question but, if I had an extra public ip or a block of ip addresses, could I simply create a seperate network with a upnp router? Just plug into the 2wire gateway and off we go?
0
 
LVL 39

Accepted Solution

by:
Aaron Tomosky earned 1500 total points
ID: 39930525
yep. if the 2wire only has one lan port, then use a switch.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses
Course of the Month14 days, 1 hour left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question