Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Problem with ip spoof

I added a second IP address to a WAN interface on the TZ 500 using the ARP table method. I created a rule to allow the flow, and I have NAT on a server, but I'm getting this error message:

DROPPED, Drop Code: 493(IP Spoof check failed recorded in module network), Module Id: 25(network), (Ref.Id: _1510_krUrqqhEjgem) 2:2)"

(in Local If I try to ping the second address, it works)

Can you plese help me

Category: Mid Range Firewalls
Reply

Answers

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @darkmen11

    did you create static ARP entry for the second IP address ?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @darkmen11 is the secondary IP in the same subnet as your primary IP? If yes you don't need a secondary IP, it can be managed with NAT only.

    If it's in a different subnet you need an additional route from ANY to the Secondary Subnet to Interface X! (or whatever it is).

    --Michael@BWC

  • darkmen11darkmen11 Newbie ✭

    It's the same subnet

    I just followed this tutorial but i have this issue Drop Code: 493

    I add static entry

    i add NAT :

    Original Source: Any

    Translated Source: Original

    Original Destination: WAN2

    Translated Destination: NEW SERVER

    Original Service: Any

    Translated Service: Original

    Inbound Interface: X3

    Outbound Interface: Any


    Concretely, what should I modify?

    Thankyou

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @darkmen11 if X3 is your WAN Interface and WAN2 holds the secondary address I would assume that you don't need to change anything. If the rule does not get any hits from WAN then probably CPE is not doing the ARP request?

    How does your X3 gets it's addess assigned, PPPoE, DHCP or static?

    --Michael@BWC

  • darkmen11darkmen11 Newbie ✭

    Yes X3 is my wan interface with 1 adress static and second address in arp table

    it's Static address

    I have no hits

    Thank you

  • BWCBWC Cybersecurity Overlord ✭✭✭

    What is the subnet mask of your X3 interface? I assume you checked that the secondary is neither network or broadcast of that subnet?

    Did you do a packet monitor on X3 just for ARP to see if there are any ARP requests? If your CPE is not asking for your address it won't work.

    --Michael@BWC

  • darkmen11darkmen11 Newbie ✭

    Hello,

    no, this is not a broadcast address"

    Locally, with a LAN connected to the firewall, I can ping the second address, but I cannot reach it via the internet; I get a 'dropped' message.

  • darkmen11darkmen11 Newbie ✭

    and the in the packet monitor the packet arp was consumed

  • BWCBWC Cybersecurity Overlord ✭✭✭

    You get a drop message because of IP spoof (did you removed the static arp entry?) or because of Access Rule?

    --Michael@BWC

  • darkmen11darkmen11 Newbie ✭

    Why do I have to delete static ARP? It allows me to have a second IP address on my interfacein the same subnet

  • darkmen11darkmen11 Newbie ✭

    static for access rules = 0

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Because it's not needed, it can be accomplished with only NAT rules.

    --Michael@BWC

  • darkmen11darkmen11 Newbie ✭

    So please what's the problem ?

  • darkmen11darkmen11 Newbie ✭

    Source Original Source Translated Destination Original DestinationTranslated Service Original Service Translated Interface Inbound Interface Outbound Priority

    Any Original Server Public Server Private Any Original Any Any

    For Nat traffic Statistics = 0 too

  • darkmen11darkmen11 Newbie ✭

    for the LAN this rule is working

    Source Original Source Translated Destination Original DestinationTranslated Service Original Service Translated Interface Inbound Interface Outbound Priority

    Firewalled Subnets Server Public Server Public Server Private Any Original Any Any 

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Ok, due to the missing knowledge of any details take this as an example.

    X3 IP Address: 192.1.2.1
    X3 Subnet mask: 255.255.255.248
    X3 Default GW: 192.1.2.6
    

    As usual, if you wanna publish any service destined to X3 IP you would create a NAT Rule for X3 IP translated to your internal address. Access Rule has to be WAN to DMZ (or LAN whatever) and Destination as X3 IP.

    Now you create a new Address Object in Zone WAN called X3-2ndIP of Type Host and 192.168.1.2.2 as IP.

    If you wanna publish a Service for that IP you create a NAT Rule with that Object as Destination Original and your internal address as Destination Translated. The Access Rule has to WAN to DMZ (or whatever) with a Destination of X3-2ndIP.

    This is working without any additional steps, like routing, static arps, secondary IP, because ARP Requests coming in to the X3 interface will be answered automatically.

    As long as your CPE is sending you an ARP request this works, that's why I asked you to do an Packet Monitor for ARP.

    If your CPE does not play along, your only option would be a static route on the CPE to route 192.1.2.2 via 192.1.2.1

    --Michael@BWC

Sign In or Register to comment.