Allowing 2 different WAN interfaces to the same LAN interface
trelectric
Newbie ✭
Hello,
I have 2 WAN interfaces on my TZ670, X1 and X2.
X1 is used for our primary production line. This interface acts as the gateway to the WWW for our all of our LAN's.
X2 is primarily used for our Wifi network so that local users on a subnet have access to it via it being the default gateway.
The issue I'm facing is getting the X2 interface to have access to a system on the X0 interface. I've created Routing Rules to allow X2 to have access to X0, but either it doesn't allow it to access it, or it somehow takes over control of the LAN interfaces and doesn't allow the X1 interface to be the gateway for them.
So, my question is, is there a way in the routing rules to allow the X2 interface to have access to a certain system on the X0 interface without it messing with the X0 interface seeing the X1 interface as it's gateway?
Answers
You don't need to create any route policies in this scenario because all networks are directly connected to the firewall and routes to connected networks are created when the interface is configured.
If X2 is a WAN interface then what you probably want is a port forward, as WAN interfaces are usually NATed. Maybe a little more detail would help.
What about the X2 interface needs access to a system on X0? I assume you mean a host coming in from the internet on X2, as it doesn't make sense for the interface itself to access something.
Hey @Arkwright
What you assume is correct. A user on the X2 interface needs access to a single system.
However looking at NAT, Access, or Routing rules, there doesn't seem to be anything causing it to not be able to just communicate with it. The only thing that I can see that might cause an issue is that X2 acts as a gateway for our wireless network. X1 isn't even suggested to be the gateway on our production network.
There's another small issue, the user who needs access to said system is gone, and there's a bunch of stuff about how his setup interacts with the network that I don't have pinned down. So, the best thing I can do for now is just allow the entire subnet that he is part of to have access to the system.
Considering no one knows how to access said system without my help, I think obscurity alone will help with security for now. When things return back to normal in a few months I can actually pin things down and make it so only his system has access.
The system I want to give access to X2(or the subnet on it the 192.168.200.0 subnet) on X0 is 192.168.4.105. Said system itself also has 3 switches in the way that change subnets twice. It goes X0(192.168.4.1)> (192.168.4.2 > 40.1 this is the same switch)> 40.8> 4.105
I tried going into the routing rules to set it up so that only users on the subnet that is associated with the wireless network can access the system. But that didn't seem to work. The least it would do is not ping anything associated with the X0 LAN, and the most it would do is literally take over as the default gateway for X0 from X1 fully disrupting production, thankfully I was doing that at a time when no one was working.
If you need more information I can give more.
I think you have the use of Zones wrong
You talk about X1 and X2 as WAN Zones? and one is connected for wireless ?? X2(or the subnet on it the 192.168.200.0 subnet..
WAN zones connect to the internet i.e it routes all traffic that is no pre-defined by routing rules or interface connectivity.
How do zones work in SonicOS? | SonicWall
Hey @MarkD,
This is how the zones are setup on my machine.
By my current understanding, X1 and X2 should both have access to X0. But in routing rules, X2 is defined as the gateway for the .200.0 subnet. This way traffic from it can't access the rest of the network. But from what I can tell, there is nothing that stops the X2 port from accessing… or the X0 port from accessing the X2 port. But if I go into Diagnostics and try to ping X0 with X2, it doesn't respond.
So something in the router isn't allowing them to talk to each other.