Solved

Zone based network with DMZ, Sonicwal TZ205, 2Wire 3800 HGV, Netgear WNDR 3700

Posted on 2014-03-04
26
1,068 Views
Last Modified: 2014-03-14
I have an established network scheme that I needed to add a DMZ zone too for gaming purposes (Xbox, ps4 etc..) Due to NAT  policy issues I was having with the Xbox 360. I have a Sonicwall TZ 205 behind a 2Wire 3800 HGV-B and everything is able to access the WAN but none of the devices can see one another.. I have a media server (Synology DS213) that I would like to stream movies from but , neither the Xbox nor the PS4 can communicate. When I try to scan the network for computers from the Xbox, the Synology comes up in the list but, I cannot connect. I also have a WNDR 3700 set up as a wireless access point with the same issue.

My Lan is using port / zone X0 on the sonicwall with the 192.168.1.xx scheme. Subnet mask 255.255.255.0

My DMZ is using port / zone X2 on the sonicwall  with the 10.10.0.xx scheme. Subnet mask 255.255.255.0

The WNDR is plugged in to a switch which is on the X0 zone but, is using 10.0.0.1. Subnet mask 255.255.0.0

The synology on the X0  zone as well with a 192.168.1.xx scheme.

Maybe it's just that the subnet masks are conflicting or class A networks cannot communicate with class C networks. Or... maybe I just have it hosed up.

The 2 wire has it's own firewall that I cannot turn off and has a dmzplus zone set up for the WAN IP.

Any help that could be provided would be fantastic.

Thank you,

Shawn
0
Comment
Question by:qmeshawn
  • 15
  • 8
  • 2
26 Comments
 

Author Comment

by:qmeshawn
ID: 39904925
I have been doing some more research and it seems that I may be able to bypass creating a DMZ in the 2wire but, I need a public IP for my Sonicwall.. Make sense?
0
 

Author Comment

by:qmeshawn
ID: 39908118
I am willing to provide screen shots and more detail if that is what is causing the lack of response.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39912772
To leave a subnet/mask the traffic goes to a layer 3 device (sonicwall). However since the sonicwall doesn't know about one of your x0 subnets since you have two, it can't help.

If you setup all the subnets to interfaces in the sonicwall individually, then you can communicate across. However xbox and some other things rely on multicast which is another few steps to work across zones.
0
 
LVL 20

Expert Comment

by:masnrock
ID: 39915221
None of your subnets conflict in terms of the IP addresses. Did you make sure that the subnets are allowed to communicate with each other. I'd also set up the third subnet on the Sonicwall rather than on the switch.
0
 

Author Comment

by:qmeshawn
ID: 39929946
I actually changed the DMZ zone on X2 to use 192.168.2.X  scheme, forwarded all of the ports listed on this knowledge base article:

https://www.sonicwall.com/us/en/support/2213.html?fuzeurl=https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=3956

And still get moderate NAT on the DMZ and get kicked out of Xbox live consistently. I am currently using the uverse internet service  which causes a "router behind a router" scenario, and thought that maybe that was the culprit so, I actually had Comcast cable internet installed thinking that would solve my problem. Nope.. Trying to set up the comcast service has been a nightmare beyond the scope of my imagination.

I switched back to uverse (both services are still active) for now because at least it is workable. I feel that I am trying to accomplish a very basic task and can't seem to accomplish it. I have been on support with Sonicwall for hours to no avail. Everyone just points me to someone else. To say that I am at my wits end is a massive understatement.

I simply can't believe that no one has run across this before with so many sonicwall appliances in play.

I just need some kind of direction as to where to go next.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39930088
here is what I would do with your situation:
make one flat network zone behind the sonicwall. There is absolutely no reason to run a DMZ. If you need port forwards, use the public server wizard (just choose webserver). It will make the address objects and groups, then you just add the ports/services you want to the created group.
0
 

Author Comment

by:qmeshawn
ID: 39930100
@ Aaron,

I tried running everything from the Lan (X0) interface without having to create a DMZ but couldn't get the desired result. Basically, the same thing I am experiencing now with the DMZ... So, maybe you are right, the DMZ isn't helping the situation. However, I have forwarded the required ports and tested them through the sonicwall interface that shows the ports forwarding but the Xbox is resetting the packets.
0
 

Author Comment

by:qmeshawn
ID: 39930166
There is no way that I know of to log in to the xbox to see what is going on internally so I don't know what it's trying to do or not do. Maybe the xbox needs to initiate the ports opening which is why I can't ping the port using http://ping.eu/. I am at a complete loss on this one. I set up an FTP server (Nas) and RDP to my desktop using port forwarding with no issues. I just can't make this happen with the Xbox. I have connectivity but simply get kicked out due to the NAT issues.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39930186
0
 

Author Comment

by:qmeshawn
ID: 39930245
Great thread!! I will try it and respond!
0
 

Author Comment

by:qmeshawn
ID: 39930265
Unfortunately, I haven't purchased the add on module that allows granular application management so this thread won't help me.
0
 

Author Comment

by:qmeshawn
ID: 39930268
However, I did create the DMZ and had it allow any and all connections from the WAN to the DMZ and from DMZ to WAN which shouldn't block ANY connections but still, no dice.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:qmeshawn
ID: 39930277
I wanted to also add.. I checked continous NAT in Voip which got me from strict to moderate NAT. And, checked multicast support on all interfaces.
0
 
LVL 20

Expert Comment

by:masnrock
ID: 39930291
Do you have a static or dynamic IP from AT&T?
0
 

Author Comment

by:qmeshawn
ID: 39930301
I have a leased Dynamic IP. It hasn't changed in over a year.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39930437
did you add all the firewall forwards from the thread?

this one has them listed too
http://portforward.com/english/routers/port_forwarding/Sonicwall/TZ-170/Xbox_Live_360.htm
0
 

Author Comment

by:qmeshawn
ID: 39930438
I forwarded all of them. UDP and TCP alike. I created a service group to house them all and still getting kicked out of live. I tested to see if the ports were forwarding in the router and they are forwarding to the static ip I set up on the xbox but, no dice.
0
 

Author Comment

by:qmeshawn
ID: 39930439
The Xbox seems to be resetting the packets / denying them
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39930458
does having it as "moderate nat" work or is some functionality still missing?
0
 

Author Comment

by:qmeshawn
ID: 39930463
I can log into xbox live, play, chat etc.. but get kicked out randomly and then cannot sign back in.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39930467
So it looks like the real problem is that the xbox uses a TON of undocumented ports and only really works well with upnp which no business grade firewall will have.

http://www.experts-exchange.com/Hardware/Personal_Electronics/Gaming_Consoles/Q_27829047.html
0
 

Author Comment

by:qmeshawn
ID: 39930477
I belive you are correct regarding upnp. However, there are three accepted solutions on that thread.. which one worked?

I haven't tried this...

"I think transparent mode is the last line of defense. If this doesn't work, I'm sticking to my and MASQUERIAD's belief SW will not support uPnP, which, I believe, is what the xbox is wanting to utilize for the different services. MASQUERAID commented already on setting up transparent mode. The steps can be found here:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979

For this to work you'll need more than one public IP address assignment from your ISP. Then, add the bridged WAP, give the xbox a public IP with the respective settings, and see what happens."
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39930487
if you have a block of ip addresses from your isp, you can let one go to the sonicwall and let one go right through to the xbox, every port with no firewall. Basically puts your xbox outside your network
0
 

Author Comment

by:qmeshawn
ID: 39930496
Maybe this is a dumb question but, if I had an extra public ip or a block of ip addresses, could I simply create a seperate network with a upnp router? Just plug into the 2wire gateway and off we go?
0
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 500 total points
ID: 39930525
yep. if the 2wire only has one lan port, then use a switch.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now