Get 2 subnets to communicate with 2 different interfaces
Sorry, I know this has been answered a few times, however I can't find an actual solution.
I have a TZ300 with SonicOS Enhanced 6.5.4.13-105n. I have created the Interfaces on X2 - 192.168.4.x and X3 - 192.168.1.x. I've created the Zones for both, set up the access rules (at least I think I set them up correctly), created the Access objects as Network types 192.168.1.0/255.255.255.0 and 192.168.4.0/255.255.255.0, and created the routes.
I setup the packet monitor to look at the 1.x ping source and a 4.x destination, nothing shows in the monitor, however the ping is always unreachable. The Log monitor occasionally shows an IP Spoof Detected.
I'm not sure what I'm missing. Any help would be really appreciated.
Best Answer
-
BWC Cybersecurity Overlord ✭✭✭
@temond the Rules should be more then sufficient (because they are very broad).
The Interfaces X2 and X3 are connected to different switches or seperated by VLANs? Did you checked with the ARP cache of your SNWL if both IP addresses are listed here and therefore reachable from the Firewall?
You mentioned that the Packet Monitor isn't showing anything for ICMP, the only conclusion would be that the packet is not getting routed from the endpoint to the Firewall. Can you ping the Firewall from the endpoint? Did you double checked the netmask of your endpoints and firewall interfaces? It should be /24 (255.255.255.0). Default Gateway on the endpoint is set to the Firewall?
It's a bit tricky to list all possible pitfalls here, but we'll figure it out.
--Michael@BWC
1
Answers
@temond delete your Routes, they are not necessary and probably the cause of the IP Spoof Detection. Subnet Routing is alway included :)
It comes all to the Access Rules Zone-X2 to Zone -X3 and vice versa.
--Michael@BWC
Thanks Mike for the quick reply. I deleted all of my routes but still can't ping a device on the 4.x network.
I have access rules From X2 to X3 Source:Any Destination:Any Service:Any and From X3 to X2 Source:Any Destination:Any Service:Any
Going back to basics
Is the X2 IP address the default GW for the 192.168.4.x subnet and is the X4 the default GW for the 192.168.1x subnet?
I've tried with the different gateways on both interfaces. My trouble is the Sonicwall is not the default internet gateway either, so I can't assign the Sonicwall as the endpoints default static gateway.
I was able to get the 2 networks communicating by using the default network gateway appliance. I really appreciate all of the help.
My trouble is the Sonicwall is not the default internet gateway
That's probably the problem. If you're not going to use the Sonicwall as the gateway in a network, then it probably doesn't need an IP in that network. If you use something else as the gateway in a network where the Sonicwall has an IP, then you will have a triangular routing situation where the Sonicwall only sees some of a TCP connection and most things will break. Ping will work fine though, so you will be scratching your head about it!