Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Need help understanding Access Rules Source and Destination Addresses

This is something I should probably understand by now. I have a TZ400 with OS v6.5.4.11. When creating an access rule, I've always thought the Source and Destination addresses had to be within the respective From and To Zones. For example, if the From/To zones were both LAN, then both the Source and Destination addresses should be located in the LAN zones.

One of my rules is from LAN to LAN, source ANY (any address in the LAN zone) and destination is the X1 Public IP. The X1 IP is in the WAN zone, yet the rule passes traffic. I do have a loopback NAT policy defined to translate the source address to my public IP, and the destination address translates to a private server IP on my network. So, now it would appear the traffic goes from LAN to WAN and then looped back to LAN. Is it because of this loopback policy that the Access Rule considers this going from LAN to LAN, and the traffic never really goes through the WAN zone? If this is the case, could my rule be from LAN to LAN, with source ANY and destination set as my private server IP?

Category: Entry Level Firewalls
Reply

Answers

  • Thanks Mitatonge. I've looked at many kbs and searched for help on this specific topic. Maybe its just not explained in a way I understand. I've always thought the From/To Zones are related to the Source/Destination addresses.

    For example, if the rule is (From: LAN, To: LAN, Source: Any, Destination: Public IP), I read this as "For traffic moving from Any address in the LAN zone, to the Public Server IP in the LAN zone". Except, the Public Server IP is in the WAN zone, so I'm obviously reading it wrong.

    I have a working set of rules and NAT policies, I'm just trying to better understand how they work. To add more confusion, here are two contradicting examples from SonicWall for creating access rules for loopback nat policies:

    https://www.sonicwall.com/support/knowledge-base/access-a-server-behind-the-sonicwall-from-internal-networks-using-public-ips-loopback-nat/170505780814635/

    The kb article shows creating a rule from LAN to DMZ (or whatever zone the private server is in).


    https://www.sonicwall.com/support/video-tutorials/how-to-configure-loopback-nat-policy/5418175369001/

    The video shows creating a rule from WAN to LAN. This works for traffic coming from anywhere in the WAN, but not the loopback. 


    Maybe I'm overthinking this. What am I missing?

  • prestonpreston All-Knowing Sage ✭✭✭✭
    edited December 2022

    Hi @attaincraig, by the sounds of it your original rule looks like it was created using the Public Server wizard which automatically creates the Loopback NAT rule,

    it would then create the Firewall rules at the same time for the loopback to work ( it will do this for all Zones to the LAN that have an Interface assigned to them at the time of running the wizard ) so for example if you are running an Exchange sever on the LAN and run the Public Server Wizard and choose HTTPS / SMTP as the services, then all internal traffic from the LAN zone would be able to access Activesync and OWA via the Public address,


    if then two months later you decide to set up another Interface for the WLAN (using a SonicPoint) then users who connect to this network then try to connect to ActiveSync or OWA it will not work as the Interface has been added after the Wizard was run, so in this case you would need to create a rule from WLAN to LAN - for HTTPS - with the Destination of the Public IP used in the original Rule,

    you won't need to change the NAT loopback rule as the WLAN subnet is included in the default Firewalled Subnets Address group

    Just to mention if you want this to work from all Zones to the LAN ( not recommended it is more secure to add seperately) then you could Select All Zones from the Drop Down menu to LAN and us the same destination and services it will then create rules from every Zone to the LAN for that service and destination, it will also ignore any already created rules that exist.

    just to also mention regarding loopback rules in the later versions of firmware these aren't needed as there is an option on the NAT Policy called Enable DNS Doctoring which should do the same but via the dns request

  • Thank you @preston . Not exactly the information I was looking for, but the DNS Doctoring is something I will look into. Sonicwall doesn't seem to provide much information about it in their docs.

    The questions I'm trying to find out are, what is the relationship between the To/From Zones and the Source/Destination addresses in the Access Rules, and why do the zones not always match the destination addresses? I think I've come up with a simple answer. The Zones are from the point of view of the receiver. The source/destination addresses are from the point of view of the sender, and are always the sender's source and destination addresses.

    The From Zone is always the zone where the traffic is originating from. If its outgoing, its probably the LAN. If its incoming, its probably WAN or Any.

    The To Zone is where the traffic is expected to end up, or NOT end up if the rule is set to deny traffic. If a NAT policy translates the destination address, use the zone of the translated destination address.

    Does this seem accurate?

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    "what is the relationship between the To/From Zones and the Source/Destination addresses in the Access Rules, and why do the zones not always match the destination addresses?"

    Your thoughts are mostly accurate. Generally they match, but when a translation is applied (NAT), like you said, you must use the zone the translation is set to.

    Here is a Cisco article that has additional concepts.


Sign In or Register to comment.