Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

SOHO250 LAN2 Setup

I have a SOHO250 in a remote office. The current configuration is X0 – LAN, X1 – WAN (Static IP), X2 – DMZ, X3 and X4 LAN’s bridged to X0 (Sonicwall default).

All of my business connections are wired ethernet connected to X0.

I have a variety of about 24 Wi-Fi devices, the usual BYOD mix of phones, tablets, individual’s computers and even a few TV’s which utilize a non-Sonicwall Mesh System (Netgear ORBI) and a Netgear Nighthawk both of which are set up as AP’s. These are connected to the X3 LAN port on the SOHO250. DHCP is presently handled by the SOHO250.

I would like to configure the X3 port to provide WAN access but be blocked from X0 and X2, my business LAN and DMZ. I’ve been unable to find a document that details the configuration of a completely separate LAN2 and am hoping that someone can point me to one.

Category: Entry Level Firewalls
Reply

Best Answers

  • CORRECT ANSWER
    LarryLarry Cybersecurity Overlord ✭✭✭
    Accepted Answer

    Trusted in the Zone configuration is the highest security level - you want it for the LAN.

    What I believe you are concerned about is "Allow Interface Trust" - and that should NOT be permitted on your LAN2 because you don't want them talking with one another. Read through the descriptions of all the settings for the "Add Zone" step to secure your network the way you intend.

  • CORRECT ANSWER
    John_LasersohnJohn_Lasersohn Moderator
    Accepted Answer

    Hi @MSYFlyer - The reason that Interface Trust settings were no help is that they relate to traffic within a zone. If you look at each zone, there are checkboxes relevant to what you were trying to do.

    The key concept is trust levels of the zones involved. Both LAN and WiFi were Trusted type zones and thus equal. On each of those zones, there is a checkbox which relates to a default setting controlling traffic between then.

    It is labeled: "Auto-generate Access Rules to allow traffic between zones of the same trust level" ; if that were disabled on both zones, then WiFi hosts would not have been able to access LAN hosts at all. I hope this helps.



  • CORRECT ANSWER
    MSYFlyerMSYFlyer Newbie ✭
    Accepted Answer

    Thank you. I was aware of the options for auto-generating rules. I was either lazy, sloppy, or stupid and never looked at the Security Type Column on the Zones screen. Another one of those times where rushing through something results in an error.

    I was in the middle of another high priority issue, non-Sonicwall related, and wanted to get back to it.

    Now I'm hoping that the 250 can handle the traffic load I'll be adding at this office.

Answers

  • Hi @MSYFLYER,

    Thank you for visiting SonicWall Community.

    Are you trying to configure X3 as WAN port; the traffic from the X0 and X2 interfaces shouldn't be happening via X3 WAN and they should instead go always via X1 WAN? Is this what you are trying to achieve? Please let me know.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • MSYFlyerMSYFlyer Newbie ✭

    No, I'm not trying to configure it as a WAN. Here's some more detail.

    My ISP uses routing, not bridging which creates a lot of work configuring a Sonicwall. I have a CIDR 16 block with 13 usable IP's. One is used for the X1 WAN. The other 12 are used on the X2 DMZ. There is a 2019 Datacenter Edition Server with 14 NIC's. 2 of them are teamed and connected to the X1 LAN for accessing the Core. The other 12 are each supporting a VM so I don't have any available to use for a second WAN.

    What I'm trying to accomplish is to have a completely independent X3 LAN which accesses the internet through X1 WAN and is isolated from the X0 LAN and X2 DMZ.

    If there are issues with DHCP for the 2 AP's, they could be changed to routers with static IP's in a separate range and each could run it's own DHCP. There's no need for any device on the X3 LAN to communicate with any other device on the LAN.

  • LarryLarry Cybersecurity Overlord ✭✭✭

    @MSYFlyer , possibly in a simpler environment you'd do the following:

    Set up a new Zone, say LAN2 with a Security type of "Trusted"

    Set up the Interface by selecting X3, if that's what you want, and assign it to Zone LAN2 with a Static IP. Give it a base IP address in a subnet that is not currently being used by any of your existing network.

    Establish the DHCP Server for that subnet and select the interface, X3 to assign it to.

    Go back to Zones and establish the appropriate Security Services.

    Not sure if something this easy will work in your case, but it just might.

  • MSYFlyerMSYFlyer Newbie ✭

    Thank you. I'll give a try and let you know.

    My only though about this approach , without having tried it is that by setting the Security type as Trusted it would have access to the other Trusted Zones and vice versa and that closig those doors would be a major chore.

    I'll find out.

  • MSYFlyerMSYFlyer Newbie ✭

    Hi Larry,

    Thanks for the idea. It turned out to do what I wanted. I set up a new Zone which I named WiFi for the X3 port with a Static IP and set it as Trusted.

    However, unchecking "Allow Interface Trust" still allowed communication between the Sonicwall Ports. I solved that by setting rules to Deny all except WiFi - WAN (both IPv4 and IPv6) and WAN - WiFi.

Sign In or Register to comment.