You are hereFalse IP Spoofing Errors on Load Balanced Sonicwall

False IP Spoofing Errors on Load Balanced Sonicwall


By steve - Posted on 18 June 2012

I have a sonicwall TZ200 with 3 internet connections that are set up to be load balanced. The internet connections are from 3 different providers providing a T1, an 8mb DSL, and a 24mb cable connection.

Connection A: T1 with public services behind a NAT firewall
Connection B: DSL
Connection C: Cable

Everything is peachy and load balancing works.

However, I wanted to set up a WLAN that didn't touch any of my primary network. The idea was to use this WLAN for guests. I could give them access to that and not worry about them having access to my internal resources, killing my DHCP addresses with their previously-assigned-home-addresses, or infecting the rest of my network with some lame malware.

Connection A: T1 with public services behind a NAT firewall
Connection B: DSL
Connection C: Cable <- Attached Router with WLAN

I picked up a nice industrial style wireless router and wired it to my cable modem. The cable modem has a static IP address range assigned to it. I let the wireless router pull an internal address from the cable modem, though (10.1.10.10), and I was up and running.

The only thing was, whenever I tried to access the publicly available services behind my primary IP address (the NAT'ed devices on my business network), the Sonicwall would tag the traffic from my new WLAN as an IP SPOOF attempt and block it.

See, the Sonicwall looks at traffic coming in from Connection A and sees Connection C's IP address on it. Figuring that can't be, (X1 should not be getting traffic from X3), the Sonicwall protects me. But I don't want that!

I tried a couple of things like manual routing traffic to the direct connected port and a few other things and a little Googling did little for me.

The ultimate solution turned out to be kind of elegant...

See I get a subnet of 5 usable static addresses on my cable connection. The mask is 255.255.255.248. So my modem is on x.x.x.206 and my X3 Sonicwall connection is on x.x.x.201.

  • On the Sonicwall X3 I took the subnet mask and changed it to 255.255.255.252 (allows 2 hosts) and left the IP as x.x.x.201
  • Changed the IP address on the WLAN router connected to my modem and changed it from dynamic (pulling 10.1.10.10) and set it to the static IP of x.x.x.204 with a mask of 255.255.255.252
  • Left my modem at x.x.x.206 and 255.255.255.248

So what that did is tell the Sonicwall that the only thing to expect from X3 would be x.x.x.201 and x.x.x.202 traffic, not everything between x.x.x.201 and x.x.x.205.

I might have been able to JUST change the Sonicwall X3 subnet to get this to work, but I didn't have time to try everything. Plus, I didn't want to have different settings in subnet masks and have someone "fix" them later when they didn't seem to be the same between the WLAN router and the Sonicwall.

Anyway, that did the trick and now the Sonicwall doesn't flag that traffic and my guests can also access my public servers.

Yay!

Did this help you? You can help me!


Did you find this information helpful? You can help me back by linking to this page, purchasing from my sponsors, or posting a comment!


+One me on Google:


Follow me on twitter: http://twitter.com/mojocode







Comments



Affiliation Badges