Link to home
Start Free TrialLog in
Avatar of 911bob
911bobFlag for United States of America

asked on

2 networks on one unmanaged switch connected to Sonicwall

I have a client that has an application that periodically goes to the internet to pull information. They have all those devices on one network 172.31.2.X, they also have a second network on the same switch 192.168.100.X

The sonicwall is set to have X2 as the 192.168.100.0 gateway/ port.

How can I get traffic from the 172.31.2.x network outside?

I have tried implementing an address object, ARP and Routing as described here: http://www.blizzardcomputers.com/multihome-lan-sonicwall/

But so far the it not talking.
Avatar of Bryant Schaper
Bryant Schaper
Flag of United States of America image

easiest would be to use another port off the SonicWALL and put it on the 172.31.2.x network and connect to the switch, then have those machines use it as a gateway and right the acls on the SonicWALL to allow the needed traffic
Two ways to do it:
Make sure the firewall has a gateway address set up on the "inside" interface for the 172.31.2.x network (like 172.31.2.1) so that machines on that network can use the sonicwall as their default gateway.  You will end up having one primary and one secondary address on the interface (one for each netblock).  Also, enable outbound network address translation for that network.

The other way, kinda an ugly hack, is to set up an additional IP address (like 172.31.2.1/255.255.255.0, but leave "default gateway" blank) on one of your windows systems on the 192.168.100.x network, enable Internet Connection Sharing (or whever it's called now), and have your 172.31.2.x systems use 172.31.2.1 as their default gateway.
Avatar of 911bob

ASKER

Bryant.. agree that is probably the simplest..but can I run a cable from interface x2 (192.168.100.1) to the switch AND one from the same switch to X3 (1782.31.2.1)? Are the ports isolated so that it will not interfere?

It is a plain old dumb switch no vlan
yes, it will basically see at two separate devices, and essentially what you are doing now by have multiple networks on the same switch.  Ideal world would be another switch for those devices or a switch that supports vlans.
What is the current gateway for the 172.31.2.0 network and is there a device that the IP is currently configured on?
Would that be the switch? If yes, then the switch is an L3
If so, you should be able to log on to the switch via a web browser and then configure a default route from 172 to 192

If the above is impossible, you will need another L3 switch to accomplish your goal (either with another cable connection to the Sonic or without)

Check the 172.x.x.x computers for the gateway they're using. Then scan the network with IP Scanner to find out which device has that IP.
ASKER CERTIFIED SOLUTION
Avatar of John Smith
John Smith

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of John Smith
John Smith

If so, you should be able to log on to the switch via a web browser and then configure a default route from 172 to 192


The SonicWALL won't allow this. Traffic would be dropped due to IP spoof protection.
Avatar of 911bob

ASKER

Problem is switch is not VLAN capable.  System vendor claims they do this with Fortinet firewall an I wouldn't think it can do something sonicwall cannot.

If only way is with VLAN. Then I am better putting in another 8 port switch and using that for 172.31 network.  It is a very light loaded network only for menu boards
Problem is switch is not VLAN capable.  System vendor claims they do this with Fortinet firewall an I wouldn't think it can do something sonicwall cannot.

If only way is with VLAN. Then I am better putting in another 8 port switch and using that for 172.31 network.  It is a very light loaded network only for menu boards


I can tell you with a very high degree of confidence that this will be a major issue. You should never have two networks on the same VLAN, they should always be separated. This isn't just a recommendation based on the SonicWALL, this is good networking practice. Furthermore, regardless of the firewall vendor, you shouldn't have the same switch connected to more than one interface if no VLANs are in play... this is a bad design and is just asking for trouble. Some networking devices are a more lax, however, and will allow this by not implementing source network verification.


Let me use this example to clarify:


Firewall  (int 2)    --------------   (gi 1/0/2)   Switch
      |    (int 3)                                 (gi 1/0/3)   |
       -------------------------------------------------------

(Notice that in the figure above, a physical typology loop is created)


                                Switch
                                     |
     ------------------------------------------------------
     |                                                               |
Comp 1                                                     Comp 2
192.168.100.101                                      172.31.2.102



Firewall int 2 - 192.168.100.x /24
Firewall int 3 -  172.31.2.x /24


Comp 1's traffic may ingresses the firewall's int 3 interface and may be allowed by the firewall because it knows about the other network and doesn't verify that the traffic has ingressed through the int 2 interface, which is the proper interface.

SonicOS rightly won't allow this.

If the switch is not VLAN capable, then your only option will be to add in another switch and physically separate the networks.
Avatar of 911bob

ASKER

Thanks to everyone for suggestions. Tyrant appreciate you telling me straight out it will not work, rather than trying a lot of hunches and maybes..
Absolutely Bob, anytime. I'm happy to help.   :)