Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sonic wall routing vlans

CooperCooper Newbie ✭
edited February 2022 in High End Firewalls

Hello all!

I having a problem with a 5650 v6.5.

I have fairly flat network and I'm adding vlans. There are 4 non vlan's subnets and I'm adding 2 new vlan'd subnets. I want to do all the routing in the SonicWALL. I'm newer to the SonicWALL world. I'm coming from the cisco world.

I have added the 2 new vlan interfaces of a X1 port. X1:V7 and X1:V10. For starters I want all all networks to be able to ping those interfaces. Then once migration is done start to lock them down.

Details:

X1 10.10.10.1/24 NETA

X1:V7 10.10.70.1/24 NET7

X1:V10 10.10.100.1/24 NET10

X2: 192.168.100.1/24 NET100

X3: 10.10.30.1/24 NET30

X4: internet

X1,2,3,4 are all preexisting and working as wanted. I've added V7&10. From the console I see all interfaces locally and can ping them. Ping is enabled on all interfaces for troubleshooting. For troubleshooting I'll focus on connection from 10.10.30.0/24 to 10.10.100.0/24. Machines on 10.10.30.0/24 network can of course ping it's gateway 10.10.30.1/24 but cannot ping 10.10.100.1. I have added:

Route rule: Source:any Dest:NET10 Service:any app:any route:standard GW:X1:V10 IP int:X1:V10

Access rule: from:NET30 to: NET10 any, any, any, allow

Access rule: from: NET10 to NET30 any,any,any, allow

Machine 10.10.30.50 cannot ping 10.10.100.1, Traces just go in to lala land.

NET10 and NET30 are in the same zone

What am I missing. thank you.

Category: High End Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    prestonpreston All-Knowing Sage ✭✭✭✭
    edited February 2022 Answer ✓

    @Cooper, if you are trying to ping the SonicWalls interface from another Zone you need to enable (enable management) in the firewall rule,

    this will enable all the Managment Services though to the Interface like HTTPS management, Ping and SSH so if you want only ping put a seperate rule in from the source Zone to the Destination Zone, destination = Destination interface IP, destination port = ping action = allow.

    Sorry forgot to explain, by defaults ping is classed as a management service when going to an interface so by default is only allowed from the same zone, so even though you have a rule for Allow, All it still doesn't allow ping, hence the rule specifically for Ping or enabling management

Answers

  • CooperCooper Newbie ✭
    edited February 2022


  • CooperCooper Newbie ✭

    Thank you! It's the cross zone with a local management interface that was the cause. i tested the same zone and it worked, moved it back and it broke. made you changes.... your answer helped! thanks!

Sign In or Register to comment.