Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Bridge Mode or Similar

dshipleydshipley Newbie ✭
in Entry Level Firewalls

At my Office, we have a TZ 570. Out ISP is Spectrum Enterprise, where we have dedicated Fiber. This comes into an ADVA where they will only activate one port to be used for WAN. This currently goes into X1 on the TZ 570.

We setup networks for our clients. And I like to test everything internally before deployment. I would like to have them online when doing so. If I connect downstream from our TZ570, I will end up with double NAT, a firewall in front of a firewall, etc. Short of installing a switching between the ADVA and the TZ570, for purposes of connection sharing, is there a configuration I can do in the TZ570? I want the secondary router to have its own static IP config as we have a block of 5 to use.

I tried NativeBridgeMode but my network went down when I did that. I used X5 for the 2nd, and bridged it to X1, the WAN. TIA

Category: Entry Level Firewalls
Reply

Answers

  • Mr_KlaatuMr_Klaatu SonicWall Employee

    There are 3 ways of doing what you want if your block of 5 IP's is in the same subnet (contiguous or non-contiguous). For example, 5.5.5.0/29 or 5.5.5.0/255.255.255.248 gives a block of 5 IP's (5.5.5.1, .2, .3, .4, .5) and a DG Default Gateway (.6) for host addressing. In this example IP: 5.5.5.1 SM: 255.255.255.248 and DG: 5.5.5.6 is already assigned to the Tz570 X1 WAN Interface. All the below listed ways/modes are 'No NAT' methods where Firewall will not auto add NAT Policies and the hosts (a PC or a Router or another Firewall) are expected to have the Public IP from the rest of the block keyed in direct on their Network Card IPv4 Properties or the respective interface that is connecting to the X5 of the Tz570.

    1. Transparent IP Mode (Splice L3 Subnet): This is the least intrusive method where X5 (any Zone LAN, DMZ, Custom Zone but with Trusted or Public Security Type can be applied) can be configured to attach itself to X1 WAN to become a 'bridge' sharing the same L3 address space without changing the default Proxy ARP behavior (Firewall X1 and X5 MAC becomes the same and all hosts behind X0 LAN and X5 Interface will be represented with the X1 MAC to the outside world on the WAN-ISP side). This requires the unused block of IP's all or a few of them to be configured as an 'address range' to be applied to the Interface X5 during configuration. The Host/Hosts that are connecting to the X5 directly as single device or via a switch as multiple hosts at the same time must be configured with the rest of the IP Block directly, like IP:5.5.5.2/SM:255.255.255.248/DG:5.5.5.6, IP:5.5.5.3/SM:255.255.255.248/DG:5.5.5.6 etc. The caveat with this Mode is that any interface that you are choosing (here X5, or X6, X7 etc.) will only attach itself to X1 WAN and always with X1 WAN retaining the Proxy ARP feature of the NAT Mode but without any NAT (due to the absence or NAT Policies as it's no longer needed for the Hosts connecting to X5) giving the host the sense of connecting to ISP directly despite Tz570 being in the Middle (still applying all security policies Access Rules, Security Services etc.)
    2. L2 Bridge Mode: This is a step up to the Transparent Mode, where the restriction of attaching only to X1 WAN is removed and the 'bridging' feature is extended to any two-interface combinations forming a L2 Bridge Mode Pair. In your case if you choose X5 to be in L2 Bridge Mode with X1, then X1 becomes the Primary and X5 becomes the Secondary of the pair. However, with L2B Mode the Proxy ARP behavior is supplanted with Native ARP behavior where the hosts connected to X5 interface will be presented with their own MAC to the outside world on the WAN-ISP side. But the Bridge Pair becomes a fully learning Bridge. Another caveat is that the feature allows only 'Pairs' to exist and X5 cannot be L2B Mode paired with another interface like X2 unless it's detached from the Primary pair X1. Like Transparent IP Mode Hosts on X5 can exist with the same IP scheme as described above without any NAT (due to the absence or NAT Policies as it's no longer needed for the Hosts connecting to X5) giving the host the sense of connecting to ISP directly despite Tz570 being in the Middle (still applying all security policies Access Rules, Security Services etc.)
    3. Native Bridge Mode: This is again a step up to the L2B Mode, where multiple interfaces can be attached to X1 and but can now accommodate LAN, DMZ, WLAN and Custom Zones. Like L2B Mode on X5 can exist with the same IP scheme as described above without any NAT (due to the absence or NAT Policies as it's no longer needed for the Hosts connecting to X5) giving the host the sense of connecting to ISP directly despite Tz570 being in the Middle (still applying all security policies Access Rules, Security Services etc.)

    As per your description, if you are just wanting to test the availability and operability of the unused IP's from the block, then the best choice is Transparent IP Mode as it is the least intrusive. However, the same is achievable with all the three modes or as you said using a switch totally bypassing the Tz570. Since these changes the lookup, forwarding and routing behavior, the Tz570 may need a reboot at times to apply the changes on incoming traffic.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    I think this guy got something similar working with wire mode (2-port wire):

    https://community.sonicwall.com/technology-and-support/discussion/5749/setup-routing-between-interfaces-without-allocating-static-ip-on-interfaces-tz570#latest

Sign In or Register to comment.