Sign in with
Sign up | Sign in
Your question

SonicWall Help?

Tags:
  • Firewalls
  • Servers
  • Networking
Last response: in Networking
Share
August 2, 2004 3:01:45 PM

Archived from groups: comp.security.firewalls (More info?)

I normally wouldn't consider this to be the right forum for a specific
product, but I'm really stuck. SonicWALL support is just awful and I'm
getting pretty frustrated here. Here's the story:

- We have a number of servers that serve out a public service.
- Each server has a public IP address on 131.107.58.0/26 with a default
gateway of 131.107.58.1 (our ISPs gateway)
- Each server also has a "back tier" connection of 10.10.1.0/24. There is no
gateway out of this subnet.
- Currently we firewall by setting ACLs on the switch

We bought a pair of PRO 3060s to take care of our firewall needs and I was
told that this firewall could just slip into our current setup. It was
described as follows:

- 100Mb ISP link goes into the WAN port of the 3060 (this link is currently
in our switch)
- Link goes from the LAN port on the 3060 to our switch
- We configure the server in "Transparent Mode" placing an IP of
131.107.58.2 on the 3060 and the range from 131.107.58.3-63 on "IntraNet"

Is this correct? Because if it is, it doesn't work. What ends up happening
is the arp entry on each server for the default gateway (131.107.58.1) ends
up being being mapped to the MAC of the 3060 and all servers lose
connectivity.

I really need help here and the support system that they have is just awful.
They're friendly, but I feel that they're more interested in finding a way
to fling the issue back on my lap so I have to wait another 24 hours for a
response (jokes like "We will need your serial number before we can
continue" and things like that).

Thanks guys. I hope someone can help.


Michael

More about : sonicwall

Anonymous
August 2, 2004 11:24:41 PM

Archived from groups: comp.security.firewalls (More info?)

On Mon, 2 Aug 2004 11:01:45 -0700, "Michael" <michaeln@twentyten.org>
wrote:
>
>I really need help here and the support system that they have is just awful.
>

Michael, isn't this a reason to simply return the boxes? Or are you
planning on being stuck with bad support for the life of the boxes?
August 2, 2004 11:24:42 PM

Archived from groups: comp.security.firewalls (More info?)

"shopping.nowthor.com" <nospam@shopping.nowthor.com> wrote in message
>
> On Mon, 2 Aug 2004 11:01:45 -0700, "Michael" <michaeln@twentyten.org>
> wrote:
> >
> >I really need help here and the support system that they have is just
awful.
> >
>
> Michael, isn't this a reason to simply return the boxes? Or are you
> planning on being stuck with bad support for the life of the boxes?

Oh my god... I wish that they'd just let me do it in Linux. But, these
firewalls were purchased before I got to this company and I inherited this
project. I can push back on newer projects but I feel like I need to see
this one through...


Michael
Anonymous
August 3, 2004 12:47:03 AM

Archived from groups: comp.security.firewalls (More info?)

On Mon, 2 Aug 2004 11:01:45 -0700, Michael spoketh

>Is this correct? Because if it is, it doesn't work. What ends up happening
>is the arp entry on each server for the default gateway (131.107.58.1) ends
>up being being mapped to the MAC of the 3060 and all servers lose
>connectivity.
>

Isn't that what is supposed to happen? The servers needs to get directed
to the Sonicwall in order to get to the router, so I would think that
your arp table should look like that.

However, your problem might be on the router, not the firewall. Since it
has an arp table as well, you putting the firewall in between the router
and computers (and switch), it's arp table has become invalid, and it
might be trying to send traffic through using an old (and invalid) arp
entry. Try to clear out the arp cache on the router and see if that
helps.

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
August 3, 2004 12:47:39 AM

Archived from groups: comp.security.firewalls (More info?)

On Mon, 02 Aug 2004 19:24:41 GMT, shopping.nowthor.com spoketh

>On Mon, 2 Aug 2004 11:01:45 -0700, "Michael" <michaeln@twentyten.org>
>wrote:
>>
>>I really need help here and the support system that they have is just awful.
>>
>
>Michael, isn't this a reason to simply return the boxes? Or are you
>planning on being stuck with bad support for the life of the boxes?

What, so he can buy some firewalls from you instead?

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
August 4, 2004 9:52:09 PM

Archived from groups: comp.security.firewalls (More info?)

Michael wrote:

> I normally wouldn't consider this to be the right forum for a specific
> product, but I'm really stuck. SonicWALL support is just awful and I'm
> getting pretty frustrated here. Here's the story:
>
> - We have a number of servers that serve out a public service.
> - Each server has a public IP address on 131.107.58.0/26 with a default
> gateway of 131.107.58.1 (our ISPs gateway)
> - Each server also has a "back tier" connection of 10.10.1.0/24. There is no
> gateway out of this subnet.
> - Currently we firewall by setting ACLs on the switch
>
> We bought a pair of PRO 3060s to take care of our firewall needs and I was
> told that this firewall could just slip into our current setup. It was
> described as follows:
>
> - 100Mb ISP link goes into the WAN port of the 3060 (this link is currently
> in our switch)
> - Link goes from the LAN port on the 3060 to our switch
> - We configure the server in "Transparent Mode" placing an IP of
> 131.107.58.2 on the 3060 and the range from 131.107.58.3-63 on "IntraNet"
>
> Is this correct? Because if it is, it doesn't work. What ends up happening
> is the arp entry on each server for the default gateway (131.107.58.1) ends
> up being being mapped to the MAC of the 3060 and all servers lose
> connectivity.
>
> I really need help here and the support system that they have is just awful.
> They're friendly, but I feel that they're more interested in finding a way
> to fling the issue back on my lap so I have to wait another 24 hours for a
> response (jokes like "We will need your serial number before we can
> continue" and things like that).
>
> Thanks guys. I hope someone can help.
>
>
> Michael
>
>
Not making much sense.

The arp enetries SHOULD map to the mac of the sonicwall - that is what
it is supposed to do. That is how it functions a s a firewall. The
packets to the deafault gateway go to the sonicwalls mac address, and it
then passes the on to the real gateway. That should not hose the
connections.

There is an option to turn this behavior off, but it's undocumented. go
to http://(sonicwall's ip address)/diag.html, click on the andvanced
prefs button and check off the box labeled "enable arp bridging" (or
something like that - don't rememebr the exact wording)
!