![Documentation Documentation](/uploads/1/2/3/9/123919531/249497926.png)
A demilitarized zone enables one or more computers to access the outside network unrestricted. You can set up DMZ on SonicWALL in network address translation mode or standard mode. NAT mode assigns private IP addresses to the computers on the network but configures these devices to communicate with the Internet using.
I have 8 wireless access points in our school and a TZ300 with no wireless option. I am testing a student network that is isolated from the internal network. I only want them to have internet access through the sonicwall Content filtering.On my Engenius EAP300 I setup 2 SSIDs (Student and Teacher) The student is tagged with VLAN 20 and the teacher is VLAN 10.I setup a Teacher Zone and a Student Zone. The Student Zone has a Deny Rule from Student Zone to LAN Zone. The Sonicwall DHCP is setup to issue 192.168.3.x addresses on X2 and the virtual X2:V10 interface issues out 192.168.4.x addresses.When I connect the Ap to the X2 and connect to the Teacher network, I get a 192.168.3.x address.
When I connect to the Student WiFi, I get a 192.168.4.x address also and I don't see any traffic on the virtual interface. I spent 4 hours on the phone with Sonicwall and they gave up on me and just said it was my Access Points that was the issue.Here's the issue. My sonicwall is not issuing out the.4 addresses when clients coming in from the Student network connect.The other issue is that when the a client comes in from the student network, it is able to browse the network and file shares when it shouldn't see any resources on the LAN.Edited Sep 15, 2017 at 01:59 UTC. There are so many variables so I will start off by recommending that you -. On Interface X2 - do not configure the parent, leave it as 'unconfigured.' . You already have Sub-Interface for VLAN 10 which should be: X2:V10.
Create another X2 Sub-Interface for VLAN 20 which should result: X2:V20.INTERFACE RESULTX2 - UnassignedX2:V10 - Teachers VLANX2:V20 - Students VLANZONE REQUIREMENTSDid you setup two ZONES - TEACHERS and STUDENTS? Above you noted that you only want CFS filtering - did you edit the two zones? If not, go to NetworksZONES. Edit both ZONES for your desired security services.Since you are not using SonicPOINT, you may have to.untick. 'Only allow traffic generated by a SonicPOINT (ACe/ACi/N2/N/Ni/NDR). This setting is found in ZONE configuration tab: WIRELESS.
You will need to do for both ZONES.DHCP SETUPThere should be two DHCP Servers:X2:V10 SUBNET = 192.168.4.X/24X2:V20 SUBNET = 192.168.3.X/24NOTE: I recommend leaving unassigned X2 root Interface Link Speed at: Auto Negotiate.SWITCH REQUIREMENTYou stated above that you connected an AP to X2. There are so many variables so I will start off by recommending that you -.
On Interface X2 - do not configure the parent, leave it as 'unconfigured.' . You already have Sub-Interface for VLAN 10 which should be: X2:V10. Create another X2 Sub-Interface for VLAN 20 which should result: X2:V20.INTERFACE RESULTX2 - UnassignedX2:V10 - Teachers VLANX2:V20 - Students VLANZONE REQUIREMENTSDid you setup two ZONES - TEACHERS and STUDENTS? Above you noted that you only want CFS filtering - did you edit the two zones? If not, go to NetworksZONES. Edit both ZONES for your desired security services.Since you are not using SonicPOINT, you may have to.untick.
'Only allow traffic generated by a SonicPOINT (ACe/ACi/N2/N/Ni/NDR). This setting is found in ZONE configuration tab: WIRELESS. You will need to do for both ZONES.DHCP SETUPThere should be two DHCP Servers:X2:V10 SUBNET = 192.168.4.X/24X2:V20 SUBNET = 192.168.3.X/24NOTE: I recommend leaving unassigned X2 root Interface Link Speed at: Auto Negotiate.SWITCH REQUIREMENTYou stated above that you connected an AP to X2. That's good info, man. So I'll try leaving the parent X2 as un-configured and setting up the two virtuals. Regarding the zones, yes, I forgot to mention that I configured two new zones, a Teacher Zone and Student Zone. This is where I was waffling back and forth.
Do I setup the zones as Trusted Zone or a Wireless or WLAN Zone. If I set it up as a WLAN zone then the option that you mentioned (Only allow traffic generated by a SonicPOINT.) is available.Sounds like I was on the right track today before putting everything back to normal. Also, Yes, the AP was only connected to X2 temporarily but I did have it connected to a unmanaged switch then to the switch was connected to the Sonicwall X2.Additionally, I should mention this. Sonicwall had me take the APs off of my main switch inside my Sonicwall connected to X1 and put a second switch on X2 that the APs are connected to. When I had the APs connected to the inside switch, they were hitting my Windows DHCP server and handled as all internal traffic and the Sonicwall was unable to manage any of the traffic separation.Thanks again for the help and confirmation. Answering in order -. Set the ZONE as WIRELESS - you can come back later and do fancy Guest Services if desired, i.e.
Like adding welcome page, authentication like how it works at star-bucks, etc.NOTE: Ticking option ' Allow Interface Trust' is an automated process. Here is what it does, i.e., if you added several interfaces to your new TEACHERSTUDENT Zone, ticking this option Auto-Creates ALLOW rules between ZONES for the specified Interfaces, i.e., X3, X4, X5, etc. In your case, if you leave this option on (or ticked), you will have modify Access- Rules for ZONE: STUDENT TEACHER ALLOW and vice-versa. If you don't want these the Wireless Networks talking to each other, untick this 'Allow Interface Trust'.Go will have to go to FIREWALLAccess Rules.
Click Drop-down Boxes and select FROM ZONE: TEACHER TO ZONE: STUDENTS then press OK. If you find an access rule allowing traffic, disable it or delete it.
Same thing vice-versa, from STUDENTS to TEACHERS. In a nutshell, if these wireless networks are for INTERNET only, just enablecreate one rule - FROM: STUDENT TO: WAN, and make sure to create a rule for ANY, ANY, ANY, ANY and ALLOW. Same thing fro TEACHER to WAN. You only had one(1) AP connected for X2?
Did you do that for testing? This will not work, it might have, but not something you want to. You will understand why by the time you are done reading this. You noted above that your inside switch is connected to X1, I think you mean X0, right? X1 is typically the Main WAN interface - unless you did this intentionally.
SonicWALL had you connect AP's on your Main Network (Sounds like Default VLAN 1) - did you join those ports (with AP's) to their respective VLAN's - 10 or 20? If you did not, then those AP's were broadcasting on VLAN1 or your Default VLAN1. VLAN1 is where your M AIN DHCP Server resides and leases out IP's.NOTE: The most common VLAN is always the default, which is VLAN1. If you went out and bought a managed switch, by default, it's configured on VLAN1.
Every port on a new switch is on VLAN1 and set as ACCESS PORTS. That said, say your home network has a 24 PORT Managed Switch and all ports are configured to VLAN 100. One day you discovered that you need more ports so you buy a new managed switch. The new switch is not going to be configured to VLAN 100, so you will not be able to uplink. This is why the industry basically, by default, commonly sets new switches to VLAN1 or the default. This also makes things easier for flat networks. Remember in the beginning when you configured the root interface X2 for STUDENTS?
You stated that it was VLAN20, but it really was not - it was really on VLAN1. This is why I suggested that you not use the rootdefault interface. Any interface is generally VLAN1, unless you change the Native VLAN to another ID, like 99.With all that said, you need a managed switch - you will not succeed without a managed switch. That said, yes, there are other ways to accomplish this, i.e.
Transparent Bridge, Fancy NAT PoliciesStatic Route, Dedicated non-managed switches, etc. In my opinion, using a managed switch is the best option for your environment.NOTE: If you are a bit confused on the TRUNK, ACCESS, PVID, etc, let me know and I send you a VISIO diagram - but I would need to ask you a few questions about your network. Let me know.If you are GOOD in the switch arena with requirements - then.1. Get a managed switch, then login to management page.2. If port # 1 is connected to SonicWALL PORT X2, then port #1 on managed switch needs to be set as a TRUNK port.NOTE: By default, ports are set as ACCESS with PVID 1.NOTE: Once you successfully configure item #2, your port will be set as: TRUNK with PVID 1.3.
You only need one( 1) TRUNK port on your managed switch - unless you have many switches in-between. The trunking protocol ( 802.1q) will forward your TAGGED VLAN's (10 & 20).
In other words, you managed switch becomes VLAN aware. The only things left after the trunk is to decide which ACCESS ports you want VLAN 10 or VLAN 20; as mentioned above, this is done by changing the PORTS PVID.4. REPEAT: The other ports on your managed switch are most-likely all set to ACCESS ports on VLAN1 with PVID 1.5. On switch ports you connect TEACHER AP's, make sure those PORTS are set to ACCESS and set to PVID 10 or VLAN 10.6. On witch ports you connect STUDENT AP's, make sure those PORTS are set to ACCESS and set to PVID 20 or VLAN20.NOTE: Be careful. Export your SonicWALL config before starting. Also trigger a backup.
SYSTEMSETTINGS.NOTE: If you make a VLAN change and start to have issues or unable to reconnect to management page. Depends on what switch you have, but all you have to do is power cycle.
The switch will reload back before you made changes. So before you do anything at all, MAKE SURE TO FIRST TRIGGER A BACKUP OF RUNNING SWITCH CONFIG.If you get lost or confused, please do not hesitate to ask.Cheers,Rob. More good info.Regarding 'Allow Interface Trust' The TEACHER network can be allowed anywhere as if connected on a wired connection. The STUDENT network should not be allowed anywhere except the internet through the Content filter. No printers, shares, or other computers.You only had one(1) AP connected for X2? Yes, this was only for testing. The 8 access points will eventually be connected to an additional switch that is connected to X2 interface.
But you said that the switch connected to X2 should be managed and configured with VLANs. I thought unmanaged switches ignore VLAN tagging and just pass everything along. Are you saying that unmanaged switches strip out the VLAN tag?Sorry, I misspoke. My managed switch is connected to X0 and my internet modem is connected to X1 like it should be.From your posts, I think I might have narrowed down the issue. Creating an additional virtual interface for the teachers and one for the students sounds like the fix and if that doesn't work then putting a managed switch on X2 and configuring the appropriate VLANS like you describe should do the trick. The Sonicwall isn't dropping the VLAN 2 packets when I connect to the student network, but it's also not passing it to it's appropriate VLAN interface in the so it gets the right address. Dbeato, I also agree with leaving the interface on the flat network - he had it working but the main Network DHCP server started leasing out to his wireless network.
Who know what other challenges he could face. But you are correct.Yes, some unmanaged switches will work perfectly. But in the right environment or deployment. That said, some switches will not work at all. Enable the UTM packet capture and you can quickly review frames to tags, etc.If I was you, I would try everything suggest and see which fits best.
In some cases you may need to use IP Helper. If so, you can run a Tech-Support report - it can get really big, filter as best as you can. This report along with captures is always helpful.Diagram is worth trying first, but if my gut is correct, you may end up having to creating sub-interfaces for each VLAN easier then sniffing for conflictsincompatabilities from the flat side.Later,Rob. Update:So I tried a couple of things since I don't have a second managed switch.I connected the EAP300 that has the 2 SSIDs to the X2 port and the clients that connect to the AP get an address from the Sonicwall's DHCP scope that is assigned to X2.
I have two virtual interfaces on X2 (Teachers and Students) and no matter what SSID i connect to, i still get and address from the X2 scope and NOT the virtual interface scope.I checked the packet inspector on the Sonicwall and it appears that the VLAN tagging is not making it's way to the Sonicwall at all, as the VLAN tagging doesn't even appear in the packet details.I think it's these cheapo Engenius EAP300 access points and good luck getting support for these things. I'm going to try a different access point to see if they pass the VLAN to the Sonicwall.Anyone from Engenius or have experience with these things?With that said, I'm not in the market for about 8 new dual band APs for our school. I was contacted by Engenius finally and they said there is a checkbox next to the SSID called that activates the VLAN tagging. Without it, it just passes traffic. Unfortunately it's not that intuitive because it makes it look like by checking it, you want to isolate or separate the clients that connect to that particular SSID. I think it's bad design to allow for VLAN tagging then not force to user to choose isolation or not, or at least make it more clear what that checkbox does.
It's not in their documentation that I found. This is what some APs do for security obviously. I'm going to give it a try enabling Isolation and plugging everything in according to the best answer above.
If it doesn't work, I'm buying better APs. But I'm confident it should work. I put together a lab for you - it worked perfectly. I initially used a Dell PowerConnect N2000 L2 Switch but figured I simplify it with a $30 Managed Switch. I would not deploy using the inexpensive consumer switch.
Check out the picture.As you know, there are a lot of folks that don't have $$$ to invest - I had thousands of those clients. So for many years, I have gotten over dozens of different AP's to work like this.The isolation you spoke of above is something you want. The way that part works, for example, 10 students connect to the STUDENT network - they will not be able to.see. or.sniff. the other STUDENT connections. Just like at a hotel, when you connect, if done correctly, you should not see anything about other connected users.
It appears like you are by yourself, on your own virtual island. Cleaner, safer.