2 networks on one unmanaged switch connected to Sonicwall

I have a client that has an application that periodically goes to the internet to pull information. They have all those devices on one network 172.31.2.X, they also have a second network on the same switch 192.168.100.X

The sonicwall is set to have X2 as the 192.168.100.0 gateway/ port.

How can I get traffic from the 172.31.2.x network outside?

I have tried implementing an address object, ARP and Routing as described here: http://www.blizzardcomputers.com/multihome-lan-sonicwall/

But so far the it not talking.
911bobCTOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bryant SchaperCommented:
easiest would be to use another port off the SonicWALL and put it on the 172.31.2.x network and connect to the switch, then have those machines use it as a gateway and right the acls on the SonicWALL to allow the needed traffic
xpediaCommented:
Two ways to do it:
Make sure the firewall has a gateway address set up on the "inside" interface for the 172.31.2.x network (like 172.31.2.1) so that machines on that network can use the sonicwall as their default gateway.  You will end up having one primary and one secondary address on the interface (one for each netblock).  Also, enable outbound network address translation for that network.

The other way, kinda an ugly hack, is to set up an additional IP address (like 172.31.2.1/255.255.255.0, but leave "default gateway" blank) on one of your windows systems on the 192.168.100.x network, enable Internet Connection Sharing (or whever it's called now), and have your 172.31.2.x systems use 172.31.2.1 as their default gateway.
911bobCTOAuthor Commented:
Bryant.. agree that is probably the simplest..but can I run a cable from interface x2 (192.168.100.1) to the switch AND one from the same switch to X3 (1782.31.2.1)? Are the ports isolated so that it will not interfere?

It is a plain old dumb switch no vlan
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Download eBook now!
Bryant SchaperCommented:
yes, it will basically see at two separate devices, and essentially what you are doing now by have multiple networks on the same switch.  Ideal world would be another switch for those devices or a switch that supports vlans.
AkinsdNetwork AdministratorCommented:
What is the current gateway for the 172.31.2.0 network and is there a device that the IP is currently configured on?
Would that be the switch? If yes, then the switch is an L3
If so, you should be able to log on to the switch via a web browser and then configure a default route from 172 to 192

If the above is impossible, you will need another L3 switch to accomplish your goal (either with another cable connection to the Sonic or without)

Check the 172.x.x.x computers for the gateway they're using. Then scan the network with IP Scanner to find out which device has that IP.
_TyrantCommented:
can I run a cable from interface x2 (192.168.100.1) to the switch AND one from the same switch to X3 (1782.31.2.1)?

No, you absolutely cannot connect the X2 and the X3 to the same switch without putting each network in a separate VLAN! This will cause nothing but problems for your client. I've seen this a hundred times and it's always an issue. There will be an ARP storm that will take the network down. Alternatively, traffic may ingress the wrong interface and the SonicWALL will drop this traffic due to IP spoof protection.

The proper solution is to create a unique VLAN for each network, then you can do either of the following:

Option 1
=======
1. Leave the X2 configured as is.
2. Configure all switch ports that connect to devices on the 192.168.100.X network as access ports and move them to the VLAN designed for that network (I recommend using a VLAN other than VLAN 1).
3. Configure the X3 as a member of the 172.31.2.x network.
4. Configure all switch ports that connect to devices on the 172.31.2.x network as access ports and move them to the VLAN designed for that network (again, I recommend using a VLAN other than VLAN 1).
5. The switch ports that uplink to the SonicWALL's X2 and X3 must also be configured as access ports and must be members of the respective VLANs.
6. Configure clients in the 172.31.2.x network to use the X3's IP as their default gateway.

OR

Option 2
=======
1. Create a VLAN sub-interface below the X2 interface and configure it as a member of the 172.31.2.x network. This interface will require a unique VLAN ID and will expect all traffic that ingresses it to be tagged with that VLAN ID.
2. Leave the X2 configured as is.
3. Configure all switch ports that connect to devices on the 192.168.100.X network as access ports and move them to the VLAN designed for that network (I recommend using a VLAN other than VLAN 1).
4. Configure all switch ports that connect to devices on the 172.31.2.x network as access ports and move them to the VLAN designed for that network (again, I recommend using a VLAN other than VLAN 1).
5. Configure the switch port that uplinks to the SonicWALL's X2 interface as a trunk or general port. The VLAN for the 192.168.100.X network must be untagged. The VLAN for the 172.31.2.x network must be tagged.
6. Configure clients in the 172.31.2.x network to use the VLAN sub-interface's IP as their default gateway.

In scenario #2, the physical X2 interface is broken down into 2 logical interfaces - the X2 root logical interface, and the X2:V# (where # is the VLAN ID you specify in the configuration) VLAN logical interface. The X2 physical interface carries traffic for both networks, but logically acts as 2 separate interfaces.

Please DO NOT (I can't stress this enough) connect the X2 and X3 interfaces to the same switch without the proper use of VLANs. This will wreak havoc and leave you with a very unhappy customer.

If you have any questions about either of the proposed solutions, please ask. I'm happy to provide further information.

I hope this helps!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
_TyrantCommented:
If so, you should be able to log on to the switch via a web browser and then configure a default route from 172 to 192


The SonicWALL won't allow this. Traffic would be dropped due to IP spoof protection.
911bobCTOAuthor Commented:
Problem is switch is not VLAN capable.  System vendor claims they do this with Fortinet firewall an I wouldn't think it can do something sonicwall cannot.

If only way is with VLAN. Then I am better putting in another 8 port switch and using that for 172.31 network.  It is a very light loaded network only for menu boards
_TyrantCommented:
Problem is switch is not VLAN capable.  System vendor claims they do this with Fortinet firewall an I wouldn't think it can do something sonicwall cannot.

If only way is with VLAN. Then I am better putting in another 8 port switch and using that for 172.31 network.  It is a very light loaded network only for menu boards


I can tell you with a very high degree of confidence that this will be a major issue. You should never have two networks on the same VLAN, they should always be separated. This isn't just a recommendation based on the SonicWALL, this is good networking practice. Furthermore, regardless of the firewall vendor, you shouldn't have the same switch connected to more than one interface if no VLANs are in play... this is a bad design and is just asking for trouble. Some networking devices are a more lax, however, and will allow this by not implementing source network verification.


Let me use this example to clarify:


Firewall  (int 2)    --------------   (gi 1/0/2)   Switch
      |    (int 3)                                 (gi 1/0/3)   |
       -------------------------------------------------------

(Notice that in the figure above, a physical typology loop is created)


                                Switch
                                     |
     ------------------------------------------------------
     |                                                               |
Comp 1                                                     Comp 2
192.168.100.101                                      172.31.2.102



Firewall int 2 - 192.168.100.x /24
Firewall int 3 -  172.31.2.x /24


Comp 1's traffic may ingresses the firewall's int 3 interface and may be allowed by the firewall because it knows about the other network and doesn't verify that the traffic has ingressed through the int 2 interface, which is the proper interface.

SonicOS rightly won't allow this.

If the switch is not VLAN capable, then your only option will be to add in another switch and physically separate the networks.
911bobCTOAuthor Commented:
Thanks to everyone for suggestions. Tyrant appreciate you telling me straight out it will not work, rather than trying a lot of hunches and maybes..
_TyrantCommented:
Absolutely Bob, anytime. I'm happy to help.   :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.