Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

WIFI Access Points in the DMZ Zone for LAN protection

I have the WIFI APs all in the DMZ zone to protect the internal LAN. The ips the DHCP server is assigning is of course on a different subnet that the LAN. Now I am being asked 2 things: They want the ability to ping other devices on the WIFI (Wifi printer and laptops) as well as be able to print to the Wireless card (on the wifi network). LAN is 192.168.168.x and WIFI/DMZ is 192.168.25.0

I thought I allowed ICMP but not working.

Category: Entry Level Firewalls
Reply

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    What do your DMZ to LAN access rules look like? Hard to help troubleshoot when we don't know the config...

  • Ron_DDCRon_DDC Newbie ✭

    There is only one and that is a deny ANY ANY .

    Why would that make a diff if we want to be able to ping a device on the WIFI/DMZ to another device on the WIFI/DMZ? Also the WIFI printer card is on the WIFI/DMZ

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @Ron_DDC

    Hi,

    If you want allow PING to DMZ to LAN, You would have to create access rule for allow PING service in between those zone as well as the created rules should be above of the Deny ANY ANY rule.

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    What APs are you using? Do you have client-client isolation enabled?

    If they're not Sonicwall APs then client-client traffic is not going to be going through the firewall.

    If they are Sonicwall APs, I am not sure.

  • Ron_DDCRon_DDC Newbie ✭

    I want to be able to ping from a device in the DMZ to a device in the DMZ not from the DMZ to the LAN and visa versa

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    @Arkwright had the right question: are the AP's doing client isolation?

    The wording in your original post seemed to me to imply you wanted LAN to DMZ connectivity, thus my question.

  • Hello Ron.

    To help you, I'll need to know What types of APs are you using? Are they SonicWALL?

    SonicWALL firewalls use the idea of network zones. Zones are, conceptually, "security areas".

    DMZ is a security zone used for hosted systems that will be exposed to the Internet such as Web or E-mail Servers. It was not planned to Wireless users as well as it was not planned to allow LAN <-> Wireless traffic. So, you do not need to put your APs on DMZ zone to be more secure. In fact, depending on your network configuration, it may create a very complex scenario.

    I most commonly use the following configuration:

    1. Use professional APs that allow me to use VLANs (Ubiquity or SonicWALL are good examples)
    2. Create zones based on user profile (common users, managers, company visitors, for example)
    3. Create Virtual Interfaces for the corresponding VLANs and assign them to these newly created zones
    4. Assign IP addresses accordingly
    5. Create firewall rules to control traffic between these zones

    This way DMZ will be used more effectively to protect exposed servers and wireless users will have more consistent rules applied for LAN integration.

    Remember: IoT traffic will be more commonly used as you increase your wireless infrastructure. So, you may need to use best practices for your wireless traffic. Don't forget to use IP Helpers as needed.

    Best regards!

Sign In or Register to comment.