Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


IP spoof alert, NSa 5600, 6.5

I have my main LAN on the X0 and i have X11 directly connected to the core switch with a different subnet. The port on the switch is configured at access port for a vlan and the X11 on the firewall is configured with an ip address from that subnet. I have a client that is connected to the switch on that x11 subnet but i have no internet on this client. When i checked the sonicwall log, it said ip spoof alert and dropped the packet. X0 and X11 are two different subnets. The logs on the sonicwall also shows that the X11 subnet is coming from X0 as source. I dont know why this is happening. Can someone please help me. Thank you

Category: Mid Range Firewalls


  • Options
    Mr_KlaatuMr_Klaatu SonicWall Employee


    -If the Core Switch is L3 Switch then ideally the Client should have the Switch IP as the Default Gateway and Switch should have a default route to forward Internet Traffic to the X0 Interface IP of the Firewall. In this case the SonicWall should have a 'return' route policy that has the following parameters:

    Source ANY, Destination: Client Network Subnet, Service: ANY, Interface: X0, Gateway: Switch IP in the rage of X0 Subnet, Metric:1

    In the above setup the VLAN's are managed by the L3 Switch and no tagged traffic reaches the Firewall and it routes the packet to the Firewall on X0 for outgoing Internet traffic and Firewall needs the above route for the incoming Internet traffic to send it back to the client.

    -If the core switch is L2 Switch then you need to setup a port on the switch as Trunk Port and then add the client subnet as Virtual Interface on the Firewall under X0 Physical Interface with the VLAN Tag and then give the Virtual Interface IP as the default gateway of Client. You will have to add the Switch Port Link to the X0 of the Firewall as Trunk Link and with the default VLAN and Client VLAN added to the Trunk. With this configuration Firewall will act as an InterVLAN Router

    Based on the type of switch you have one of the above needs to be done. You can save a port on the Firewall and Switch (X11) with one of the above methods by not using the X11 and with just the X0. For your issue of X11 subnet traffic reaching the X0 is because you have wired the Client to a port on the Switch that is part of X0 Subnet/VLAN and not segregated, while you have another link to the Firewall on X11 forming a loop and the Firewall is receiving it on the unexpected interface thus dropping it as IP Spoof. One of the above methods based on the kind of switch you have should remove the IP Spoof packet drops and give internet access to the client.

    If the above doesn't answer your question, please feel free to  contact our Technical Support at to speak to a Technical Support Engineer who can assist you over the Phone to address your issue.

Sign In or Register to comment.