Setting up TZ400 with DMZ and 2 networks

Twizz728

Hello all,

This is my first post on the forums so I apologize if my question seems elementary. I work for a small organization who recently purchased a TZ400. I've worked with Cisco products in the past, but was by no means an expert. I currently have my TZ400 setup with a 10mb WAN connection coming into the X1 Interface and I have my LAN on the X0 like normal. I have a completely separate circuit coming in from our local tel co provider that is a 100mb connection. I know this seems backwards but right now our business network is using the 10bm connection on the TZ400, and the public guest network is setup on the 100mb connection on its own router. Right now I have a simple Wi-Fi setup in the organization where the 100mb circuit goes into it's own router, it has its own switch and its own AP's through the building. This was my only guaranteed way to prevent anything from the guest network coming into the business network and messing things up before since anyone from the public could come join the guest network.

Now that I have a SonicWALL I've heard about setting up zones and DMZ's and would like to ask the best approach for my problem. I would like to have both the 10mb and 100mb WAN connections coming into the SonicWALL. I would like to have my business (secure) network on one interface and my guest network on a separate interface and make it so that neither communicated with the other. I would like to still be able to provide protection to both network using my SonicWALL services that were setup like IPS and the things in Capture Security. I would also like to have a zone for the copiers and printers in the building so that all devices on the business and guest network could print to those, but in no way could something from the guest network bleed over into the business side of things via a printer. I was told this would be setup like a DMZ. That's really the only thing I would like to know about (as far as how to approach and set this up) I've been watching videos on YouTube about setting up the DMZ and having two different networks, but I figured this would be the best place to ask.

One more question. I have a CCTV network at my location. Right now it's completely offline. There is a server running Server 2008R2 and currently the company will not pay for an upgrade and 2008 is no longer supported. I took the server offline to prevent anything from happening to it since it can no longer be secured and patched. Would it be safe to have the CCTV equipment on an interface by itself so that other devices in the facility could see the CCTV cameras, or would you all recommend keeping it offline. Right now there is a server and 1 viewer station for security. Some of the supervisor have expressed wanting to see the cameras, but I've told them I'm not crossing the networks for security purposes. Just wondering how you would approach that given the CCTV equipment can't be upgraded.

Thanks everyone!

shiprasahu93

Hello @Twizz728,

Welcome to SonicWall community.

I appreciate you being so descriptive and letting us know the exact requirement.

Yes, you can certainly place the guest wireless on a DMZ zone and have no connectivity between LAN and DMZ using access rules. Just FYI, you can achieve this for any other zones as well including custom zones that you can add yourself. We can do that with the help of access rules as depicted in the KB below.

https://www.sonicwall.com/support/knowledge-base/using-firewall-access-rules-to-block-incoming-and-outgoing-traffic/170503532387172/

Now, since you mentioned that there is a 100 Mb connection for wireless devices, you can terminate that on the SonicWall and the firewall can have two WANs acting as a backup or you can create static routes for the LAN to go out on 10 Mb line and the wireless on 100 Mb line as you have at the moment.

https://www.youtube.com/watch?v=R6HCfugJ0Oo

Yes, you can set up a either a separate zone or just have the printers on LAN and provide access to specific IP addresses using access rules.

There are multiple ways that you can provide access to the CCTV network:

1) Port forwarding so that it can be accessed using the WAN IP address

2) Establish Client VPN connection and then provide access.

Fro security reasons, if you would like, you can keep that network separate and isolated and once all patched and upgraded can bring it back on LAN.

Thanks!

shiprasahu93

Yes, you are right. SonicWall can take care of the routing. Just assign a 192.168.100.1 IP on the X6 interface and that should be used as the default gateway for the wireless devices. You can enable DHCP on the SonicWall for that interface and it can assign IP addresses with X6 IP as the default gateway.
I hope that answers your question.
Thanks!

shiprasahu93

@Twizz728,

Here are two things that I would check:

1) WLAN zone on the firewall is used for SonicWall access points: SonicPoint and SonicWAVEs. So, please check if this check box is enabled on the WLAN zone under MANAGE | Network | Zones tab. Click on configure for WLAN zone and navigate to Wireless tab and look for 'Only allow traffic generated by a SonicPoint/SonicWave'.

If yes, please disable it and then test. Or choose a different custom zone for X6 interface and not the built-in WLAN.

2) If you have internal DNS servers on LAN and use them for X0 subnet, please make sure that the DHCP scope for X6 interface is not using those internal DNS servers as by default WLAN will not have access to LAN.

You can change that from MANAGE | Network | DHCP server. Click on the configure option for X6 DHCP scope and navigate to DNS/WINS tab. Use global DNS servers like 8.8.8.8 and 8.8.4.4.

Also, please check if you are able to ping to 8.8.8.8 while on wireless which can tell if the problem is with DNS or not.

If those does not help, we would need to perform packet capture on the firewall and see what could be the issue.

https://www.sonicwall.com/support/knowledge-base/how-can-i-setup-and-utilize-the-packet-monitor-feature-for-troubleshooting/170513143911627/

Thanks!

Twizz728

Hello @SHIPRASAHU93 

I currently trying to setup the the Wireless interface on the SonicWALL. I have a switch connected to the interface (X6) and a host connected to that switch. The default Subnet on my LAN is the typical 192.168.1.1 but on the Wireless I wanted to make it 192.168.100.1. Does there need to be a router connected to the interface on X6 since the IP address is different? I didn't figure this to be the case. i just assumed the SonicWALL handled all the routing between interfaces but wanted to make sure first.

Thanks!

Twizz728

Hello @SHIPRASAHU93 

Another quick question. What I have running into right now is, I have my (X6) Interface setup as Wireless or WLAN with the IP address of (192.168.100.1). I have a switch connected to that interface with an IP address of (192.168.100.2). I have several computers and a couple wireless AP's connected to the switch. None of the devices can currently connect to the WAN. The permissions for the WLAN and Wireless zones are set to allow access, but for some reason nothing on that interface can get out to the internet. Is there anything else that needs to be configured before access would be allowed?

X6 Interface IP (192.168.100.1) Zone is set to WLAN which allows for WLAN to DMZ, VPN, WAN, Wireless, WLAN. It denies access to LAN only (Which is where I have my secure devices.)

Thanks in advance and you've already been a big help!

Twizz728

Thank you for all the help. I have the network setup pretty good now with your help but have a question about the DMZ.

Currently I have 2 WAN interfaces. I have a LAN interface and a Guest interface. The LAN and Guest don't touch. The LAN uses the 192.168.100.1 scope and the Guest uses the 192.168.200.1 scope. I want to put 2 network printers in the DMZ so that the LAN and Guest networks can print. I'm wanting it setup this way so that nothing from the Guest network can bleed over into the LAN.

Would I need to put a small router on the interface for the DMZ and hook the printers into that? Also what IP range would I use so that both interfaces could communicate with the DMZ?

Thanks!

shiprasahu93

@Twizz728,

The SonicWall can take routing decisions, so no additional router is required. You can either plug the printers directly to the firewall or use a small switch for multiple devices if they need to terminate on the same interface.

The IP scheme needs to be separate for this interface and you would need to add access rules from LAN/Guest to DMZ and vice versa to provide access to the printers from both of them.

Without any access rule from LAN to Guest and vice versa, those two networks will still stay isolated from each other.

Thanks!