Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Different Subnet Masks for Static DHCP reservations

Quick background: I'm a noob to SonicWall, and I'm not a networking professional and don't claim to be an expert by any means, but as a software developer & engineer in the computer biz for almost 40 years, I'm not totally ignorant in that area either. I acquired a used TZ400 which I am trying to set up for my home network. We have several geeks in the household, so as home networks go, its fairly complicated.

One thing I was hoping to do with the SonicWall was to have a more sophisticated DHCP server than you would find in a typical router including having different subnet masks and possibly different gateways for the different static DHCP entries. Idea being that the network has several subnets as layers whereas many (but not all) of the devices with an IP on a certain subnet/level can get the levels below it but not the levels above and I was hoping to accomplish that thru masking.

BUT when I create static entries in SonicWall's DHCP server, it wants me to put in a mask for each entry, yet it will not accept anything other than the 'default' (?) one, the mask that is being used for that interface. (so why even ask?)

Example Entry:

Name: Jacks Desktop

IP: x.x.1.32

MAC: 48xxxxx1B

Gateway: x.x.0.1

Mask: 255.255.254.0 ***!

Click OK gives a red Error: Range and Gateway are on different subnets

Note that the mask for that interface is 255.255.240.0, and that is the only entry it will allow me to use for a static DHCP mask entry. Also note there is no "Interface Pre-Populate" checkbox as shown in the admin manual.

So...... That IP (1.32) should be able to reach that gateway (0.1) with that mask (254.0). Looking at the admin manual and DHCP specs, I see no reason that should not work. What am I missing?? Can someone suggest a workaround?

Category: Entry Level Firewalls
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    shiprasahu93shiprasahu93 Moderator
    Answer ✓

    @Doctor_Wizard,

    I totally understand your concern. As mentioned by me earlier, Unfortunately, by design whether it is a static or dynamic scope we will use the subnet mask assigned on the interface regarding which this specific scope is added.

    The subnet mask can only be changed while creating a scope that is not bound to a specific interface. Example, if we are acting as DHCP server for a network behind another L3 device etc., I agree that in these situations it should not ask you fill out the subnet mask at all as it is only going to accept the default value as per the interface settings.

    The best way to get more details would be contacting support so that this can be with the back-end team for answers. As you mentioned that there are other ways to edit it for other products, I could not find anything as such for SonicWall devices. So, if any other workaround is available, support should be able to help you with the same.

    You can use the following link to contact SonicWall support.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Answers

  • fmadiafmadia Moderator
    Hi @Doctor_Wizard,

    Welcome in our community. What you're trying to achieve can be done but I think you may be confusing things there 😊 SonicOS will allow you to configure a DHCP entry with a default GW that is in the same subnet as the IP assigned. In order to allow communications across multiple levels/subnet, you can define static routes and access rules.
    Reason why you can't assign a DHCP entry with the default GW outside the subnet is because the host uses it to communicate outside its subnet but if the default GW is already outside the subnet, the host wouldn't be able to communicate with anything else.
    This is a L2 design limitation as the ARP can resolve MACs to IPs within the same subnet/broadcast domain.
  • Hi @Doctor_Wizard,

    As far as I understand, you are trying to perform subnetting of a larger network using the subnet mask field under DHCP server. Unfortunately, by design whether it is a static or dynamic scope we will use the subnet mask assigned on the interface regarding which this specific scope is added.

    The auto-populate option should still definitely work for static DHCP scopes. I have seen that error in the past for L2 bridged interfaces even when the right scope was added but those should have been fixed on any 6.5 firmware.

    As mentioned by @fmadia, it would be best to segregate the networks and then applying access rules with either VLANs or routed subnets to achieve communication and access privileges.

    Also, I will be moving this to 'Entry level firewalls' category for better results.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • I guess I didn't explain it very well...

    There is only one physical network, I'm only using the X0 interface, and half the network devices are using WiFi off of a single WAP. They are located throughout the house and it is not feasible to split it into separate physical networks. I believe what I wish to accomplish is "logical subnetting".

    I am trying to get the DHCP server to dynamically give out a x.x.0.z/24 address with a mask of 255.255.255.0 to any 'unrecognized' device which does not already have static lease. The exception is the gateway and DHCP server which has a static address of x.x.0.1/20 and a mask of 255.255.240.0.

    Next we have the devices which are recognized, but not particularly trusted. (Like cheap Chinese security cameras with potentially hacked firmware.) They will have static leases in the x.x.1.z/23 range with a mask of 255.255.254.0. So they are in scope and will be able to reach the gateway. There is an exception here as well, a media server with a x.x.1.7/20 address but a mask of 255.255.240.0 so it can talk to all levels of the network.

    The next level has a bit more trust, with devices getting a static lease IP of x.x.2-3.z/22 and a mask of 255.255.252.0. They can reach the gateway and the media server.

    Then another level of devices getting static leases in the x.x.4-7.z/21 range and mask of 255.255.248.0, and finally one more level of the most trusted and secure devices in the x.x.8-15.z/20 range with mask of 255.255.240.0. The higher level devices, by way of their scope & less restrictive mask can still reach the gateway and media server. (And in theory, be able to send packets to any other device on the same or lower levels- but devices on the lower levels would be unable to reply due to their more restrictive mask.)

    There's a couple other exceptions such as my sister's laptop on the .3 level subnet, but has a mask of .240 so I can remote desktop into it from my office when she is having a problem and needs tech support.

    A MAC-based VLAN might accomplish the segmentation/isolation I am trying to create, but I don't see a way to do that in SonicWall/OS. All my various "smart" (semi-managed) switches support port-based VLANs and I could assign VLAN numbers to the wired devices that way but that still doesn't take care of all the WiFi devices, not to mention [wired] equipment sometimes gets moved around and may end up on another switch or port.

    Between me and my housemates we currently have 165 computers, phones, tablets, printers, smart TVs, cameras, assistants, smart plugs, smart lights... on our network. Beside security, I also want to segment it because Windows and Linux keep installing drivers for every printer they see on the network, and connecting to every phone they see, even though it may (probably) belongs to someone else. Delete them and they come right back.

    I've looked at the official white papers & specs for DHCP and don't see any reason why this wouldn't work or not be allowed. DD-WRT router firmware appears to support it, but it can't be setup/configured/maintained thru the web UI, you have to use SSH or Telnet and upload a revised .csv database file for any change. Likewise Linux Server DHCP supposedly supports it. Want an easier to maintain solution. And if I am forced to use the default mask of the interface, why am I asked to fill it in when creating a static lease? Seems pointless.

    As I said to start, I'm not an expert on this but I have been doing my homework, so if I have overlooked something, please point it out. I'm humble enough to accept it and learn from it. Thanks!

Sign In or Register to comment.