Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1175
  • Last Modified:

Zone based network with DMZ, Sonicwal TZ205, 2Wire 3800 HGV, Netgear WNDR 3700

I have an established network scheme that I needed to add a DMZ zone too for gaming purposes (Xbox, ps4 etc..) Due to NAT  policy issues I was having with the Xbox 360. I have a Sonicwall TZ 205 behind a 2Wire 3800 HGV-B and everything is able to access the WAN but none of the devices can see one another.. I have a media server (Synology DS213) that I would like to stream movies from but , neither the Xbox nor the PS4 can communicate. When I try to scan the network for computers from the Xbox, the Synology comes up in the list but, I cannot connect. I also have a WNDR 3700 set up as a wireless access point with the same issue.

My Lan is using port / zone X0 on the sonicwall with the 192.168.1.xx scheme. Subnet mask 255.255.255.0

My DMZ is using port / zone X2 on the sonicwall  with the 10.10.0.xx scheme. Subnet mask 255.255.255.0

The WNDR is plugged in to a switch which is on the X0 zone but, is using 10.0.0.1. Subnet mask 255.255.0.0

The synology on the X0  zone as well with a 192.168.1.xx scheme.

Maybe it's just that the subnet masks are conflicting or class A networks cannot communicate with class C networks. Or... maybe I just have it hosed up.

The 2 wire has it's own firewall that I cannot turn off and has a dmzplus zone set up for the WAN IP.

Any help that could be provided would be fantastic.

Thank you,

Shawn
0
qmeshawn
Asked:
qmeshawn
  • 15
  • 8
  • 2
1 Solution
 
qmeshawnAuthor Commented:
I have been doing some more research and it seems that I may be able to bypass creating a DMZ in the 2wire but, I need a public IP for my Sonicwall.. Make sense?
0
 
qmeshawnAuthor Commented:
I am willing to provide screen shots and more detail if that is what is causing the lack of response.
0
 
Aaron TomoskyTechnology ConsultantCommented:
To leave a subnet/mask the traffic goes to a layer 3 device (sonicwall). However since the sonicwall doesn't know about one of your x0 subnets since you have two, it can't help.

If you setup all the subnets to interfaces in the sonicwall individually, then you can communicate across. However xbox and some other things rely on multicast which is another few steps to work across zones.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
masnrockCommented:
None of your subnets conflict in terms of the IP addresses. Did you make sure that the subnets are allowed to communicate with each other. I'd also set up the third subnet on the Sonicwall rather than on the switch.
0
 
qmeshawnAuthor Commented:
I actually changed the DMZ zone on X2 to use 192.168.2.X  scheme, forwarded all of the ports listed on this knowledge base article:

https://www.sonicwall.com/us/en/support/2213.html?fuzeurl=https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=3956

And still get moderate NAT on the DMZ and get kicked out of Xbox live consistently. I am currently using the uverse internet service  which causes a "router behind a router" scenario, and thought that maybe that was the culprit so, I actually had Comcast cable internet installed thinking that would solve my problem. Nope.. Trying to set up the comcast service has been a nightmare beyond the scope of my imagination.

I switched back to uverse (both services are still active) for now because at least it is workable. I feel that I am trying to accomplish a very basic task and can't seem to accomplish it. I have been on support with Sonicwall for hours to no avail. Everyone just points me to someone else. To say that I am at my wits end is a massive understatement.

I simply can't believe that no one has run across this before with so many sonicwall appliances in play.

I just need some kind of direction as to where to go next.
0
 
Aaron TomoskyTechnology ConsultantCommented:
here is what I would do with your situation:
make one flat network zone behind the sonicwall. There is absolutely no reason to run a DMZ. If you need port forwards, use the public server wizard (just choose webserver). It will make the address objects and groups, then you just add the ports/services you want to the created group.
0
 
qmeshawnAuthor Commented:
@ Aaron,

I tried running everything from the Lan (X0) interface without having to create a DMZ but couldn't get the desired result. Basically, the same thing I am experiencing now with the DMZ... So, maybe you are right, the DMZ isn't helping the situation. However, I have forwarded the required ports and tested them through the sonicwall interface that shows the ports forwarding but the Xbox is resetting the packets.
0
 
qmeshawnAuthor Commented:
There is no way that I know of to log in to the xbox to see what is going on internally so I don't know what it's trying to do or not do. Maybe the xbox needs to initiate the ports opening which is why I can't ping the port using http://ping.eu/. I am at a complete loss on this one. I set up an FTP server (Nas) and RDP to my desktop using port forwarding with no issues. I just can't make this happen with the Xbox. I have connectivity but simply get kicked out due to the NAT issues.
0
 
Aaron TomoskyTechnology ConsultantCommented:
0
 
qmeshawnAuthor Commented:
Great thread!! I will try it and respond!
0
 
qmeshawnAuthor Commented:
Unfortunately, I haven't purchased the add on module that allows granular application management so this thread won't help me.
0
 
qmeshawnAuthor Commented:
However, I did create the DMZ and had it allow any and all connections from the WAN to the DMZ and from DMZ to WAN which shouldn't block ANY connections but still, no dice.
0
 
qmeshawnAuthor Commented:
I wanted to also add.. I checked continous NAT in Voip which got me from strict to moderate NAT. And, checked multicast support on all interfaces.
0
 
masnrockCommented:
Do you have a static or dynamic IP from AT&T?
0
 
qmeshawnAuthor Commented:
I have a leased Dynamic IP. It hasn't changed in over a year.
0
 
Aaron TomoskyTechnology ConsultantCommented:
did you add all the firewall forwards from the thread?

this one has them listed too
http://portforward.com/english/routers/port_forwarding/Sonicwall/TZ-170/Xbox_Live_360.htm
0
 
qmeshawnAuthor Commented:
I forwarded all of them. UDP and TCP alike. I created a service group to house them all and still getting kicked out of live. I tested to see if the ports were forwarding in the router and they are forwarding to the static ip I set up on the xbox but, no dice.
0
 
qmeshawnAuthor Commented:
The Xbox seems to be resetting the packets / denying them
0
 
Aaron TomoskyTechnology ConsultantCommented:
does having it as "moderate nat" work or is some functionality still missing?
0
 
qmeshawnAuthor Commented:
I can log into xbox live, play, chat etc.. but get kicked out randomly and then cannot sign back in.
0
 
Aaron TomoskyTechnology ConsultantCommented:
So it looks like the real problem is that the xbox uses a TON of undocumented ports and only really works well with upnp which no business grade firewall will have.

http://www.experts-exchange.com/Hardware/Personal_Electronics/Gaming_Consoles/Q_27829047.html
0
 
qmeshawnAuthor Commented:
I belive you are correct regarding upnp. However, there are three accepted solutions on that thread.. which one worked?

I haven't tried this...

"I think transparent mode is the last line of defense. If this doesn't work, I'm sticking to my and MASQUERIAD's belief SW will not support uPnP, which, I believe, is what the xbox is wanting to utilize for the different services. MASQUERAID commented already on setting up transparent mode. The steps can be found here:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979

For this to work you'll need more than one public IP address assignment from your ISP. Then, add the bridged WAP, give the xbox a public IP with the respective settings, and see what happens."
0
 
Aaron TomoskyTechnology ConsultantCommented:
if you have a block of ip addresses from your isp, you can let one go to the sonicwall and let one go right through to the xbox, every port with no firewall. Basically puts your xbox outside your network
0
 
qmeshawnAuthor Commented:
Maybe this is a dumb question but, if I had an extra public ip or a block of ip addresses, could I simply create a seperate network with a upnp router? Just plug into the 2wire gateway and off we go?
0
 
Aaron TomoskyTechnology ConsultantCommented:
yep. if the 2wire only has one lan port, then use a switch.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 15
  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now