Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


Second LAN subnet configuration

I read the KB article "how-can-i-configure-secondary-subnet-on-lan-interface-for-firewall-management-purpose/170505978271633/" but it doesn't seem to work for what I need.

I have 13 Ips coming in on one wire, ips xx.xx.xx.90-102. 6 of them need to be recognized and routed individually to 192.168.100.x addresses (different VMs.) That all works fine with Address objects, Access and NAT rules, inbound, outbound and loopback. But, I need one of them (say .98) to be routed to a 192.168.101.x address, and have that address reachable by the .100 subnet and anything on the .101 subnet able to reach the internet and the other systems on the .100 subnet.

Can someone help me with how this should be set up? Thanks.

Category: Entry Level Firewalls

Best Answer

  • Options
    ArkwrightArkwright All-Knowing Sage ✭✭✭✭
    Answer ✓

    Loopback NAT is not "obvious" but once you follow the pattern in that KB article it will work, from internal.

    If you cannot get the simple inbound NAT working to that IP but you can to others then I suggest you double-check everything.

    Don't expect ping to a NATed IP to work if you haven't included in the services you're NATing to it!


  • Options
    WBHTZ270WBHTZ270 Newbie ✭

    Well, here's what I've tried most recently (which is not working),

    trying to get xx.xx.xx.98 ←>

    X1: WAN ip's xx.xx.xx.93-102

    X0: LAN most of the Access/NAT rules apply to this mapping to multiple VMs

    X2: LAN

    Access Rules:

    xx.xx.xx.98 → ANY allowed, and xx.xx.101.43→ ANY allowed

    Routing rules;

    101.43 →, and 101.1 → X0 ip ( xx.xx.100.1)

    NAT rules:

    xx.xx.xx.98 → 101.43, and 101.43 → xx.xx.xx.98

    I'm sure I'm missing something, but I can't find any documentation on how to do this.

    Thanks for any help.

  • Options
    ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    So the inbound NAT would be just the same as the .100. IPs and you should be able to get that working the same way, right?

    IF you want the public reachable from the inside, you need a loopback NAT policy:

  • Options
    WBHTZ270WBHTZ270 Newbie ✭

    Thanks @Arkwright, As far as I can tell, the inbound NAT on .98 is just like the inbound NAT on the other xx.93-102s to the .100. And I do have a loopback on the 101.43. The loop back may be wrong (I think I don't completely understand loopback), it's set up as orig: Firewalled Subnets→xx.98, translated: xx.98 → 101.43

    I can't ping the 101.43 from the .100.x subnet, and I can't reach the .101.43 externally, nor reach public from 101.43.

  • Options
    WBHTZ270WBHTZ270 Newbie ✭

    Thank you @Arkwright for following this. I did follow the discussion in the article, had the loopback set correctly apparently, then as you suggested, double-checked everything. The one set I had not been re-checking every time were the routing rules. I found a mistake there, and now things seem to be working to the new sub-net public and private. Thank you again for your continued patience, which gave me confidence that this was all supposed to work. Regards.

Sign In or Register to comment.