Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

firewall zone connectivity issue

I have sonicwall tz270 firewall. I created new DB zone, assigned interface and created rule to allow traffic between LAN and DB Zones. I can ping DB interface from machine at LAN Zone no problem. But when I trying to ping machine in DB zone, packet monitor shows that machine in DB Zone instead or responding to ping, starts ARP request which will be dropped by firewall. Here is the message

DROPPED, Drop Code: 61(Classical mode, ARP bridge not supported), Module Id: 47(ARP)

Did anyone experience this situation. Thanks in advance, Mike

Category: Entry Level Firewalls
Reply

Answers

  • AjishlalAjishlal Community Legend ✭✭✭✭✭
    edited July 25

    @MishkaR

    You would have to enable ARP Bridging in Diag page (Internal settings).

    When enabled, cross-interface ARP requests and their responses will always be propagated to the destination link and back to the initiating interface.

    The Diag page can be reached by typing in the LAN IP of the SonicWall in the browser, with a  IP/sonicui/7/m/mgmt/settings/diag at the end.

  • MishkaRMishkaR Newbie ✭

    Thank you for your response. I will try your suggestion later today, but most likely it will not work. Let me tell you why. Yesterday I tried to eliminate ARP request all together by creating static entry in ARP table of my host id DB Zone. When I tried to ping it, there were no ARP request and host attempted to response to ICMP query, but response was dropped by the firewall with statement "Guest Service dropped packet." Other words this way or another no packet can leave DB Zone. This is clearly sonicwall problem and I am working with support trying to resolve it. I will keep you posted. Thanks again, Mike

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Please provide a diagram of your setup with Zone descriptors and sanitized IPs as your description is unclear.

  • MishkaRMishkaR Newbie ✭

    AJISHLAL, sorry, could not find that settings. Only one related to ARP is a Network/System/ARP, but this is simply arp table like any other host. I tried search for arp brdging in my TZ270 UI, but it only returned Networ/system/arp.

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @MishkaR

    Did you login the Sonicwall DIAG page?

  • MishkaRMishkaR Newbie ✭

    Could not find it.

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @MishkaR ,

    I mean "IP" for your firewall. for example your firewall IP is 192.168.1.1, the diag page should be as same as below;

    https://192.168.1.1/sonicui/7/m/mgmt/settings/diag

  • MishkaRMishkaR Newbie ✭

    TKWITS

    Very simple setup. I can ping DB Interface which is X3 from machine in LAN zone no problem. When I was trying to ping host in DB zone sonicwall dropped ARP request issued by that host. I created ARP static record in ARP table of host in DB Zone. Now when I tried to ping that host from machine in LAN subnet, ARP query disappeared, pinged host attempted to response but sonicwall dropped the packet with message "GuestService dropped the packet". Other words this way or another packets cannot leave DB Zone. It's clearly sonicwall problem. I will resume my communication with tech support today. I used sonicwall for years from TZ100 to TZ600 but never had such terrible problems trying to do such a simple thing.

  • MishkaRMishkaR Newbie ✭

    AJISHLAL

    Got it now. ARP bridging was enabled by default. Also ARP query is not the issue anymore after I created static ARP record in my pinged host. It attempt to respond to ping query. Sonicwall dropped response packet with message "GuestService drooped the packet". Thank you.

  • MishkaRMishkaR Newbie ✭

    OK. If somebody interested, that's the conclusion. I faced two problems. First one is ARP request packets could not leave DB zone which pretty much makes impossible any communication with hosts inside the zone. Thanks to AJISHLAL pointing to Enable ARP bridge setting, but it's enabled by default. Because my network is very small (dozen of hosts) I choose a workaround: created static records of my every host outside of DB zone in ARP table of two servers in DB Zone. Those with larger network probably should dig deeper to find what caused that. My second problem was Guest Service dropping packets. When I tried to do a search for guest in UI, it only show device>users>guest service settings which has nothing to do with network traffic. It turned out that zone property page has Guest Service tab and in case of my DB Zone it was enabled by default. As soon as I disabled it, everything started to work. Thanks to everyone who tried to help me.

Sign In or Register to comment.