Link to home
Start Free TrialLog in
Avatar of Chip Levinson
Chip LevinsonFlag for United States of America

asked on

Questions on Configuring New SonicWall TZ270 Firewall - Zones and Private Networks

Hello,

I am looking for advice on how to configure a new SonicWall TZ270 firewall I just purchased to replace a Juniper Networks SSG5 in my home. My first question has to do with how to set up zones behind my firewall.  My SSG5 has three zones and is configured to block all traffic between the zones (isolate them):

  • Work: This zone includes a Windows Server 2012 file server, a NAS device, a work PC running Windows 10, and a network printer. These devices are configured with static IP addresses in the range of 192.168.1.xxx.
  • Home: This zone includes my wife's W10 PC, my son's W10 laptop, daughter's Apple laptop, and a Netgear Orbi wifi router. These devices are connected via Cat5e cables and are configured with static IP addresses in the range of 192.168.2.xxx.
  • Wifi: The Orbi wifi router and a single satellite located centrally in the house creates a wifi mesh that uses DHCP.  It is password protected and is used by two smart TVs, 4 family smart phones, several iPads and guests devices. Last night I checked and there were 57 different devices in its DHCP table.  I deleted old entries and got the list to 21.

I want to create more zones with the SonicWall TZ270.  I purchased three years of their Essential's services and plan to use their sandbox to scan all email attachments.

I read somewhere that it is not a good idea to use 192.168.1 as malware looks for this common IP range.  Is this true? Am I better off using IP addresses between 10.0. 0.0 to 10.255. 255.255 or IP addresses between 172.16. 0.0 to 172.31. 255.255?

I would appreciate feedback/suggestions on my current thoughts about zones on the TZ270 setup:

Zone 1 Work. Same as before but use different private network range, say 10.10.1.xxx with static IP. Have SonicWall fully protected this zone, including sandbox.
Zone 2 Home. Same as before but use different private network range, say 10.10.2.xxx, with static IP. Have SonicWall fully protected this zone, including sandbox.
Zone 3 TV. Set up a dedicated zone for our two TVs and program SonicWall not to scan traffic - don't want or need it to scan Netflix, etc.  Short-term this will include family wifi due to the lack of wired ethernet near the TV (something I may fix in the next month or two). This will use DHCP and private network 172.17.1.xxx. Wifi access will be limited to my family's devices and our TVs using MAC address filtering. Some of the SonicWall features (TBD) will be active on this, but not all.
Zone 4 Guest Wifi. Uses DHCP and a different network, perhaps 192.168.99.xxx. It will be password protected, but otherwise open for visitors to use.  If possible, I would like the DHCP table to get automatically flushed.
Zone 5 (future) IoT zone.  In the future I will have some security cameras (ring doorbell like devices) and may isolate them on their own network.

Thank you for your thoughts and recommendations!

ASKER CERTIFIED SOLUTION
Avatar of Benjamin Van Ditmars
Benjamin Van Ditmars
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Chip Levinson

ASKER

Hi Benjamin, thanks for the insights. Do you know of any advantages or disadvantages of using certain private IP address ranges in setting up a local area network?
There is no Disadvantage to do this. make a ip design, for a home network give them all a /24
if you dont have any ipsec vpn's of things like that just use the 192.168.0.0/16 range

Zone 1 Work 192.168.0.0/24
Zone 2 Home 192.168.1.0/24
etc

make a plan, from zone to zone what traffic you want to permit. there is a default deny any any rule.
so just tell what can talk to what.

the best way is make youre self a drawing of what you want to build, this make it easy to build it after.
Hi,
Sorry for disappearing - I was out of town for a few days.  I am trying to resolve a new more pressing problem.  I can no longer map the three shared folders on my file server so I can access them from my work computer.  As soon as I figure that out I will get back to this and close the question.  Thanks for your patience!!!