Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Setting up Rule from LAN to WAN

Hello,

I set up a rule for a device in the LAN to access a device in the WAN. This is directly from one IP to another. However, when we test it doesn't seem to be working. I think it should have worked with the default Any Any LAN to WAN rule but it doesn't work with that rule enabled either.

I'm able to ping both devices so I think the issue is with my settings.

My LAN is a Trusted Zone on X0 and the WAN is Untrusted on X1.

Are there other settings I need to look at and check?

Regards, Phil

Category: Entry Level Firewalls
Reply

Comments

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Can you provide a screenshot or better description of your access rule? Do you have any deny rules? Have you run a packet capture to watch the traffic?

  • PhilPhil Newbie ✭

    Here's an image of the Rule. We don't have any deny rules from LAN to WAN but there are others in place. There is a Deny Any rule from the WAN to LAN. No, I have not run a packet capture.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Are the source and destination address objects in the correct Zone? 'MF1 Pro3 Device' in LAN, 'MF1 Monarch' in WAN?

    If you mouse over the statistics icon (3 vertical bars next to edit) do you see any hits / packets?

    Next step is the packet capture.


  • SaravananSaravanan Moderator

    Hi @PHIL,

    Could you please let me know if you are trying to access those WAN devices from LAN resource via any specific services like SSH or HTTP or Ping?

    If the access issue is specific only to those WAN devices, there is a possibility to check the outbound NAT policy if its configured right.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • PhilPhil Newbie ✭

    Hi @TKWITS, yes, the address objects are in the correct zone. No, I do not see any packets in the statistics. I tried the packet capture to no avail. Nothing showed up in the capture on either the source or destination IPs.

    @Saravanan , I tried to ping and run a tracert to the destination IPs but all my requests fail. I'm curious what the outbound NAT policy would need to be configured as. I did not configure anything with that yet. I wouldn't think NAT would come in to play with this.

    Thank you both for your thoughts on this.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited June 2021

    Anything going LAN to WAN by default will have NAT policies applied. That is the way the IPv4 internet works 99% of the time.

    Either way are you sure your internal routing is correct? If no traffic is hitting the access rule or packet capture than something else is going on...

    What did you mean you could ping both devices? From each other? From other devices?

    We need more details.

  • PhilPhil Newbie ✭

    I think the internal routing is correct. The original purpose of the firewall was to allow someone to VPN in to the devices on the LAN and that goal has been accomplished. I agree, something else may be going on, although this was working with the previous Cisco firewall so that is the reason we think it is a firewall issue.

    We are NOT able to ping the devices. I tried pinging the three devices on the WAN from a PC set up in the LAN and the request times out.

  • PhilPhil Newbie ✭

    I found this issue from a couple years ago that seems similar to mine. I also can't ping the firewall from a machine in the LAN even though I have Ping enabled in both the LAN and WAN.

    It got me to wonder if there is a setting somewhere I need to enable/disable. We don't have IPS licensed with our device but perhaps there is some other setting to prevent Low Priority Attacks as was with this one. We are using firmware version 6.5.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    We still need more information. Give us some IPs or something to work with.

  • SaravananSaravanan Moderator

    Hi @Phil,

    If all the required settings are there in the SonicWall, then we may need to perform packet capture to conclude further.


    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Phil ,

    If you are enabled the IPS with Low priority Attacks, Ping service will get block so disable the IPS low priority Attacks for enable the ping service.

    As well as check below rule is enabled;


  • PhilPhil Newbie ✭
    edited June 2021

    Thanks, @Ajishlal. We do not have IP enabled. The rule you reference is indeed enabled.

    Thanks, @Saravanan. @TKWITS mentioned the packet capture as well, which I tried but did not help me identify the issue. I might have done something incorrectly when performing it so I can revisit that too.

    I did find in the ARP Cache that our gateway is listing Cisco Systems as the Vendor. Cisco was the vendor of the previous firewall we had installed. I flushed the one item listing the gateway IP but it still came up as Cisco. I would think this should now list Sonicwall as the vendor on the Gateway IP address.

  • PhilPhil Newbie ✭

    I found that the MAC address listed in the ARP cache doesn't match the MAC on the old Cisco firewall. So I may not be thinking that through correctly.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    It sounds like you have more routers / firewalls involved than just the sonicwall, thus my inquiries about internal routing and more information...

  • PhilPhil Newbie ✭

    Yes, I think you're right, @TKWITS. I'm going to involve some other internal folks to look at this with me. Thanks.

  • PhilPhil Newbie ✭

    SOLVED

    This issue is now resolved. The problem was I had the LAN IP assigned the same as the default gateway. Both were set to 10.x.x.1. So we changed the IP to 10.x.x.2 and now it all works. Thanks all for thinking this through with me.

  • SaravananSaravanan Moderator

    Hi @Phil,

    Glad to hear that. Thanks for sharing the results.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Sign In or Register to comment.