TZ600 series does not recognize the other IPs of the same subnet
BFranca
Newbie ✭
Hey guys. We have a TZ670 in HA allocated to one of our customers. The purpose of TZ is to replace an existing balancer whose main function is to make NATs. The client has 6 internet links and all of them with subnets ranging from /26 to /29. When we configure, for example, the IP 192.168.0.217/29 on the WAN interface, the only IP I can ping from this interface is the interface itself and the gateway, the IP 192.168.0.218, for example, is not reachable and this is replicated in all interfaces that have subnets. I've done everything I know but honestly I've never seen anything like it and I don't have much experience with Sonicwall. I would like your help to find out if there is any particularity in the box that may be causing this. Thanks in advance for your help and attention.
Category: Mid Range Firewalls
0
Comments
Please provide additional information about your configuration (such as what interfaces are assigned what zones and IPs, etc.) and a diagram.
Hi @BFRANCA,
Thank you for visiting SonicWall Community.
I understand that you are unable to reach out to any external or public IP addresses from the Firewall via WAN interface. Is this right? Could you please let me know your requirement? Based on it, I can help you better.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @Saravanan and @TKWITS
Thanks for your attention.
Saravanan, I'm going to sketch a scenario:
I have a contracted IP with a service provider X and this IP is /29. The IP configured on my WAN interface is xxx.xxx.109.217.
Being a /29 I have a range of IPs from 217 to 221, being 222 my gateway. From this range, the only IPs I can access are the Interface (217) and the gateway (222), the other IPs are not reachable, however, when I change the interface IP to 219, for example, I start to see the 219 and I lose access to the 217 as if the interface only recognized the IP that is configured on it and ignoring the others on the same subnet.
Let me know if I have been able to clearly express our problem.
This is expected behavior and is pretty much networking 101. If an IP address is not in use on a network you won't be able to 'see' it either via ping or ARP.
Using your example, we have the WAN interface configured with X.X.109.217 /29 with the gateway being X.X.109.222.
.217 and .222 are the only IP addresses in use on the /29 network, and thus would be the only ones showing up in the ARP table.
If you were to add a static ARP entry on the Sonicwall for X.X.109.218 on the WAN interface, then .217, .218 and .222 would show in both the Sonicwall and ISP device ARP tables.
Read up on these topics:
Hi @TKWITS
I hope you're well.
Thanks for your answer.
We have several applications aimed at these IPs so they should be reachable. Maybe a static ARP will help us, I confess that I didn't think about it at the time, however, this process should be automatic and not forced.
I've searched on several forums, including from other manufacturers to try to find something related but without success.
Any automatic configuration is a luxury, and was not automatic. Some one some where configured something to provide it.
Anyways, if the point of the Sonicwall is simply inbound IPv4 NATs you do not need to create the static arp entry. You just have to create the NAT and open the firewall via Access Rules.
See:
A static ARP entry may still be required if it is not a routed pool of IP's by the upstream device and requires ARP. Do both.