Zone based network with DMZ, Sonicwal TZ205, 2Wire 3800 HGV, Netgear WNDR 3700

I have an established network scheme that I needed to add a DMZ zone too for gaming purposes (Xbox, ps4 etc..) Due to NAT  policy issues I was having with the Xbox 360. I have a Sonicwall TZ 205 behind a 2Wire 3800 HGV-B and everything is able to access the WAN but none of the devices can see one another.. I have a media server (Synology DS213) that I would like to stream movies from but , neither the Xbox nor the PS4 can communicate. When I try to scan the network for computers from the Xbox, the Synology comes up in the list but, I cannot connect. I also have a WNDR 3700 set up as a wireless access point with the same issue.

My Lan is using port / zone X0 on the sonicwall with the 192.168.1.xx scheme. Subnet mask 255.255.255.0

My DMZ is using port / zone X2 on the sonicwall  with the 10.10.0.xx scheme. Subnet mask 255.255.255.0

The WNDR is plugged in to a switch which is on the X0 zone but, is using 10.0.0.1. Subnet mask 255.255.0.0

The synology on the X0  zone as well with a 192.168.1.xx scheme.

Maybe it's just that the subnet masks are conflicting or class A networks cannot communicate with class C networks. Or... maybe I just have it hosed up.

The 2 wire has it's own firewall that I cannot turn off and has a dmzplus zone set up for the WAN IP.

Any help that could be provided would be fantastic.

Thank you,

Shawn
qmeshawnAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

qmeshawnAuthor Commented:
I have been doing some more research and it seems that I may be able to bypass creating a DMZ in the 2wire but, I need a public IP for my Sonicwall.. Make sense?
0
qmeshawnAuthor Commented:
I am willing to provide screen shots and more detail if that is what is causing the lack of response.
0
Aaron TomoskySD-WAN SimplifiedCommented:
To leave a subnet/mask the traffic goes to a layer 3 device (sonicwall). However since the sonicwall doesn't know about one of your x0 subnets since you have two, it can't help.

If you setup all the subnets to interfaces in the sonicwall individually, then you can communicate across. However xbox and some other things rely on multicast which is another few steps to work across zones.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

masnrockCommented:
None of your subnets conflict in terms of the IP addresses. Did you make sure that the subnets are allowed to communicate with each other. I'd also set up the third subnet on the Sonicwall rather than on the switch.
0
qmeshawnAuthor Commented:
I actually changed the DMZ zone on X2 to use 192.168.2.X  scheme, forwarded all of the ports listed on this knowledge base article:

https://www.sonicwall.com/us/en/support/2213.html?fuzeurl=https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=3956

And still get moderate NAT on the DMZ and get kicked out of Xbox live consistently. I am currently using the uverse internet service  which causes a "router behind a router" scenario, and thought that maybe that was the culprit so, I actually had Comcast cable internet installed thinking that would solve my problem. Nope.. Trying to set up the comcast service has been a nightmare beyond the scope of my imagination.

I switched back to uverse (both services are still active) for now because at least it is workable. I feel that I am trying to accomplish a very basic task and can't seem to accomplish it. I have been on support with Sonicwall for hours to no avail. Everyone just points me to someone else. To say that I am at my wits end is a massive understatement.

I simply can't believe that no one has run across this before with so many sonicwall appliances in play.

I just need some kind of direction as to where to go next.
0
Aaron TomoskySD-WAN SimplifiedCommented:
here is what I would do with your situation:
make one flat network zone behind the sonicwall. There is absolutely no reason to run a DMZ. If you need port forwards, use the public server wizard (just choose webserver). It will make the address objects and groups, then you just add the ports/services you want to the created group.
0
qmeshawnAuthor Commented:
@ Aaron,

I tried running everything from the Lan (X0) interface without having to create a DMZ but couldn't get the desired result. Basically, the same thing I am experiencing now with the DMZ... So, maybe you are right, the DMZ isn't helping the situation. However, I have forwarded the required ports and tested them through the sonicwall interface that shows the ports forwarding but the Xbox is resetting the packets.
0
qmeshawnAuthor Commented:
There is no way that I know of to log in to the xbox to see what is going on internally so I don't know what it's trying to do or not do. Maybe the xbox needs to initiate the ports opening which is why I can't ping the port using http://ping.eu/. I am at a complete loss on this one. I set up an FTP server (Nas) and RDP to my desktop using port forwarding with no issues. I just can't make this happen with the Xbox. I have connectivity but simply get kicked out due to the NAT issues.
0
qmeshawnAuthor Commented:
Great thread!! I will try it and respond!
0
qmeshawnAuthor Commented:
Unfortunately, I haven't purchased the add on module that allows granular application management so this thread won't help me.
0
qmeshawnAuthor Commented:
However, I did create the DMZ and had it allow any and all connections from the WAN to the DMZ and from DMZ to WAN which shouldn't block ANY connections but still, no dice.
0
qmeshawnAuthor Commented:
I wanted to also add.. I checked continous NAT in Voip which got me from strict to moderate NAT. And, checked multicast support on all interfaces.
0
masnrockCommented:
Do you have a static or dynamic IP from AT&T?
0
qmeshawnAuthor Commented:
I have a leased Dynamic IP. It hasn't changed in over a year.
0
Aaron TomoskySD-WAN SimplifiedCommented:
did you add all the firewall forwards from the thread?

this one has them listed too
http://portforward.com/english/routers/port_forwarding/Sonicwall/TZ-170/Xbox_Live_360.htm
0
qmeshawnAuthor Commented:
I forwarded all of them. UDP and TCP alike. I created a service group to house them all and still getting kicked out of live. I tested to see if the ports were forwarding in the router and they are forwarding to the static ip I set up on the xbox but, no dice.
0
qmeshawnAuthor Commented:
The Xbox seems to be resetting the packets / denying them
0
Aaron TomoskySD-WAN SimplifiedCommented:
does having it as "moderate nat" work or is some functionality still missing?
0
qmeshawnAuthor Commented:
I can log into xbox live, play, chat etc.. but get kicked out randomly and then cannot sign back in.
0
Aaron TomoskySD-WAN SimplifiedCommented:
So it looks like the real problem is that the xbox uses a TON of undocumented ports and only really works well with upnp which no business grade firewall will have.

http://www.experts-exchange.com/Hardware/Personal_Electronics/Gaming_Consoles/Q_27829047.html
0
qmeshawnAuthor Commented:
I belive you are correct regarding upnp. However, there are three accepted solutions on that thread.. which one worked?

I haven't tried this...

"I think transparent mode is the last line of defense. If this doesn't work, I'm sticking to my and MASQUERIAD's belief SW will not support uPnP, which, I believe, is what the xbox is wanting to utilize for the different services. MASQUERAID commented already on setting up transparent mode. The steps can be found here:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979

For this to work you'll need more than one public IP address assignment from your ISP. Then, add the bridged WAP, give the xbox a public IP with the respective settings, and see what happens."
0
Aaron TomoskySD-WAN SimplifiedCommented:
if you have a block of ip addresses from your isp, you can let one go to the sonicwall and let one go right through to the xbox, every port with no firewall. Basically puts your xbox outside your network
0
qmeshawnAuthor Commented:
Maybe this is a dumb question but, if I had an extra public ip or a block of ip addresses, could I simply create a seperate network with a upnp router? Just plug into the 2wire gateway and off we go?
0
Aaron TomoskySD-WAN SimplifiedCommented:
yep. if the 2wire only has one lan port, then use a switch.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.