TZ400 - Single WAN interface, Multiple public static IPs
TC10284
Newbie ✭
Hello,
I am working on a setup where I have a single WAN interface, with multiple public static IPs. The goal is to allow RDP connections to each static IP (no more than one to three at a time) to a Hyper V server on our internal LAN that will run multiple Windows Server VMs in Hyper V.
What is the best way to setup these IPs in the SonicWall and is there anything specific I need to do for the VMs?
If I do subinterfaces on the WAN, do I have to do any type of special VLANs to talk to the Internal VMs?
Thanks!
Category: Entry Level Firewalls
1
Answers
Hello @TC10284,
Welcome to SonicWall community.
If the static IP addresses are in the same subnet as the existing WAN interface IP, you can directly create the port forwarding rules for them to point at the VMs using inbound NAT and access rules.
If they do not belong to the same subnet as WAN Interface, you can use static ARPs and route to bind them to the existing WAN interface and then create the port forwarding rules.
This KB article should be helpful.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Hello @TC10284
I think @shiprasahu93 provide a great technical answer. My question is what are you trying to accomplish by using multiple IP's? If you have only one WAN interface, then I assume you're only using one ISP connection. If that's correct, then I don't see any performance or security benefits to having remote users connect back to different public IP's if they are all going to use the same ISP and terminate on the same firewall interface. So I think you might be making the solution more complicated than necessary, or there's critical information missing in how you described your scenario.
W.
I'm having difficulty with this as well. I have a VM hosting multiple servers, and 13 static IPs from my ISP all coming in on one wire. I need to be able to assign specific static IPs to specific VMs. I've read all the postings I can find, have set up Access Rules, NAT policies and even static ARP routes. X1 is assigned xx.xx.xx.93, I'm trying to assign xx.xx.xx.94. I've got two machines set up to test with, one NAT'ed from .93 as 192.xx.xx.10 and one NAT'd from 94 as 192.xx.xx.44 with a port listener on 80. I've tried a lot of configurations, but can't even ping .94 let alone connect on port 80. Running SonicOS 7.01 on a TZ270. Can anyone point me to how to debug/fix this? Thanks.
This should be pretty straightforward.
One thing to watch out for is that even if you have NAT policies for additional public IPs fully configured and working, you will never see those additional IPs in the Sonicwall's own ARP cache, even though the Sonicwall is sending/receiving ARP for those IPs. So don't let that mislead you! You will see the Sonicwall responding to ARP for these additional IPs in a packet capture.
So start a packet capture with .94 as the destination and attempt to connect to it from outside. What do you see?
NAT'd from 94 as 192.xx.xx.44 with a port listener on 80. I've tried a lot of configurations, but can't even ping .94
If you aren't NATing ICMP to .94 to .44, then you aren't going to be able to ping .94.
Thanks @ARKWRIGHT, WireShark capture of ICMP to .94 shows (no response found). I am NAT'ing Ping to .44
And I have .94 set up as a static, published ARP.
Look at first reply to this thread:
If they do not belong to the same subnet as WAN Interface, you can use static ARPs
I assume that as you are NATing 1 IP up from your WAN IP, then it's in the same subnet? In which case, no manual anything with ARP entries is required, simply create the NAT policies and the firewall will deal with ARP.
@ARKWRIGHT Thank you for your response. As an experiment I removed all Access rules, static ARP, and custom NAT entries. Then created, using the wizard, one set of 1 Access Rule and 3 NAT entries for Ping[Group], HTTP and HTTPS WAN to LAN, etc. for anywhere to .94. No response to ping. The .44 machine can ping the .10 machine. The .10 machine can ping the .44 machine (LAN access). The .10 machine (on .93) cannot ping the .94 external address (nothing can) Anything can ping the .93 address(it's the defined X1 i/f). The .44 machine can connect to the full Internet, but WhatsMyIp reports it as .93, not .94, which I think may be the root of the problem.
This knowlegebase article " https://www.sonicwall.com/support/knowledge-base/how-to-configure-multiple-wan-ip-addresses-part-of-the-same-network-of-the-wan-interface/230801093303163/ " seems to have the same issue I'm seeing and the suggestion is to add a static ARP, which I did, but am still not able to access the second IP address.
So start a packet capture with .94 as the destination and attempt to connect to it from outside. What do you see?
With a few hours of support from SonicWall support, who couldn't figure it out, (packet capture was showing nothing no matter what they did) they realized that this router was a replacement for one that was returned and asked, "Did you upload a configuration from the old router?" So we reset to factory settings, added in a new configuration from scratch and everything worked just fine. Oh, - turns out that one cannot set a second static ARP in this case. Thanks for your help.