SonicOS Vlans and routing questions.
Hello, first of all say Hello to all the comunity since is my first post.
I was asked to configure a device Sonicwall, so frist I installed the Virtual app to figure out what I will face
System Information:
Model: NSv Unlicensed
Product Code: 70000
Firmware Version: SonicOS Enhanced 6.5.4.4-44v-21-1519-9f66f06d
Safemode Version: SafeMode 6.5.0.0
ROM Version: SonicROM 5.0.0.0
I configured a few stuff, like Timezone, host name etc...
Them moved into network config. DHCP for the wan uplink using vmware bridge to wan port in my computer. Network tools say I have ping to google so it's ok now.
X1WAN Default LB Group
Them moved into LAN configured in static IP
X0 LAN 192.168.240.250 255.255.255.0 Static 10 Gbps Full Duplex Default LAN
and created a DHCP server lease scope
Lease Detail #2
Type: Dynamic
Range Start: 192.168.240.1
Range End: 192.168.240.249
Subnet: 255.255.255.0
Enabled: Yes
Interface: X0
Default Gateway: 192.168.240.250
Now I wake up a linux VM and made a few test
dhclient eth0
provides me a dinamyc IP from FW pool. and ping to google runs nice.
192.168.240.243 devuan 2022-06-23 07:53:53 00:0C:29:70:57:26 VMWARE Dynamic
Well as per requiriments I have to learn how to deal with vlan so I investigate here:
So, the requirements are clear. I have to deal with 3 kinds of Vlan.
Lan acces +wan access.
Lan acces no wan access.
wan acces no lan acces.
- Vlan 2 NO_LAN/WAN
- VLAN3 LAN/WAN
- Vlan 99 LAN/NO_WAN
I used to use Mikrotik devices, and with subnets, vlans, some routes and FW rules I managed to acomplsih that. but I'm unable to acomplish it now with sonic wall.
I created the zones and the doubt assault me.
vlan 99 is a trusted zone one rigth? just lan traficc
vlan2 is untrusted one... wan traficc
But vlan3 is trusted or untrusted kind?
I ned more info about zones and the manual is not clear for me. let's moving forward:
1 LAN Trusted X0 Enabled Enabled Enabled Enabled Enabled Enabled Edit this entryThis item cannot be deleted
2 WAN Untrusted X1 Enabled Enabled Enabled Enabled Enabled Edit this entryThis item cannot be deleted
3 DMZ Public Enabled Edit this entryThis item cannot be deleted
4 VPN Encrypted Edit this entryThis item cannot be deleted
5 SSLVPN SSLVPN Enabled Edit this entryThis item cannot be deleted
6 MULTICAST Untrusted Edit this entryThis item cannot be deleted
7 Vlan 99 LAN/NO_WAN Trusted X0:V99 Enabled Edit this entryDelete this entry
8 Vlan 2 NO_LAN/WAN Public X0:V2 Enabled Edit this entryDelete this entry
9 VLAN3 LAN/WAN Trusted X0:V3 Enabled Edit this entryDelete this entry
now created the vlans subinterfaces and asign the zones related to:
X0:V2 Vlan 2 NO_LAN/WAN 192.168.207.250 255.255.255.0 Static VLAN Sub-Interface
X0:V3 VLAN3 LAN/WAN 192.168.208.250 255.255.255.0 Static VLAN Sub-Interface
X0:V99 Vlan 99 LAN/NO_WAN 192.168.211.250 255.255.255.0 Static VLAN Sub-Interface
and added a dhcp lease for it:
Dynamic Range: 192.168.207.1 - 192.168.207.249 X0:V2
now on the linux box I cleared the lease on eth0,
dhclient eth0 -r
add the vlan config for wan link on vlan 2
vconfig add eth0 2
cat /proc/net/vlan/config
eth0.2 | 2 | eth0
and run dhclient on it
dhclient eth0.2
and it dies without lease. I tried to static asing ip 192.168.207.252 and 192.168.207.245 one inside dhcp range and one in the subnet but outside of range... nothing happens. no ping to FW. is realted to routes?
If I'm stuck making the vlans... I can't imagine myself doing other task..... o.0
any help is always welcome
:D
PD: I really know my typing is more tham ugly, But I don't use correctors, don't copy paste from terminals and I dont re read post. sorry in advance :D
Comments
"vlan 99 is a trusted zone one rigth? just lan traficc
vlan2 is untrusted one... wan traficc
But vlan3 is trusted or untrusted kind?
I ned more info about zones and the manual is not clear for me"
Read up zone-based firewall concepts. "Trusted", "Public", etc. are set around what the traffic is considered. If you have an interface dedicated to a guest network (where anyone with wifi can connect) would you consider it "trusted" traffic. I wouldn't.
VLANing in VM environments requires additional configuration in the environment. Without telling the environment about the VLANs, assigning a vlan on the VMs NIC won't do squat (as you have discovered).