Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Several IPv4 addresses on single physical WAN interface from same WAN subnet

Hello! Trying to configure this on my NSa 4700 with latest firmware. My provider assigned this WAN subnet as my WAN: 70.100.20.0/24.

70.100.20.1 - is provider gateway for my WAN hosts.

70.100.20.2 - IP address of my SonicWall port X1 - default WAN.

192.168.1.1 - X0 Default LAN interface of my SonicWall.

In my LAN several servers that must be published: 192.168.1.12, 192.168.1.13, 192.168.1.14.

On my old Juniper firewall I used VIP and MIP to map WAN addresses to LAN addresses.

I need to map it same way: 70.100.20.12 => 192.168.1.12, 70.100.20.13 => 192.168.1.13 and 70.100.20.14 => 192.168.1.14.

And at this point I wondered that this is non-trivial problem for SonicWall. I used "Publish server Wizard" - it's not working, NAT rules created, access rules created, and nothing passing them. Then I tried this guide https://www.sonicwall.com/support/knowledge-base/configuring-multiple-wan-subnets-using-static-arp-with-sonicos-enhanced/170503911164326/ and found that it not applicable for me, it lost matters on part "Creating a Static Route" - looks like it's mistake there because meaning on configuration for 7.* and 6.* completely not corresponding: for 7 they asked to create "Match object" - have no idea why. I trying to create route and ARP entry using guideline for 6.* and this not working.

Any idea?

Thank you!

Category: Mid Range Firewalls
Reply

Answers

  • BbialyBbialy Newbie ✭
    You are doing it very similar.
    You have to make firewall Acl Wan-> DMZ/Alan
    Like:
    From any
    To 70.100.20.14
    Service (up to you)
    Allow

    Than Nat
    Source any (or not? If you have white list for the service)
    Translated original
    Dest 70.100.20.14
    Translated 192.168.1.14
    Service any/specific (best practice to correspond to ACL.)

    It is only by assuming that you have X1 configured 70.100.20.0/24. If you have other setup let me know.
  • Your steps is useless because there's nothing about 70.100.20.14 - how it will listen on X1? Besides I already checked these settings without success.
  • BWCBWC Cybersecurity Overlord ✭✭✭

    @artyomtsybulkin you're listed as a partner and probably should know basic stuff like this already, labeling the reply from @Bbialy as useless isn't a helpful thing to do, I would call it rude and might reduce the chance that somebody else is willing to help.

    The way @Bbialy described it is IMHO correct, because the SNWL will answer the ARP request on X1 for 70.100.20.14 when asked from 70.100.20.1 with that NAT rule. I did this plenty of times when the ISP really is providing a subnet and the CPE is doing the ARP requests. IMHO in your case the static ARP entries are not needed.

    You might start a Packet Monitor on X1 to see what is going on. You could start with just sniffing for ARP requests on X1 or look for specific traffic destined to 70.100.20.14. Also check with the Event Log if anything is logged in there.

    Just make sure that your Access Rule from Zone WAN to Zone LAN (or DMZ, ...) has the official IP as Destination, because it's checked against the original address and not the translated one.

    --Michael@BWC

Sign In or Register to comment.