Networking Question

I’m trying to help out a friend’s office network. I’m going around and around with their ISP’s technical support staff to try and get an issue fixed.

Here’s the story…

They have commercial T1 service with an ISP. Their old employee no longer works there. They haven’t got a clue as to how things are setup or whatever.

They have a SonicWall firewall. It is acting as NAT and DHCP. The LAN side is using a public IP that ends in 242, and they use a passthrough on another IP to a web server, and that IP ends in 243.

This setup worked for them for about a year or more. Then 243 stopped working, the website was unreachable, and they couldn’t browse out on it.

This is when they called me. So I called their ISP, and they told me that the IP addresses I have are wrong. They are designated for equipment. And that the range I should be using starts with a 97. So, I logged into the SonicWall and changed everything to use the new IP range, as well as new Gateway, and new Subnet. But it didn’t work.

I was then told, that we lack a router. The 242 number is supposed to be assigned to a router, the router then distributes the 97 numbers to the other equipment (Such as the SonicWall).

This is the part I’m unsure of, and need someone to tell me that it’s correct.

The ISP assigns me two sets of public IP addresses. One set is for equipment like the router. So it looks like this…

IP: 75.161.184.242
GW: 75.161.184.240
SN: 255.255.255.240

The second set of IP addresses is for distribution to other equipment behind the router. And it looks like this…

IP: 97.140.141.130
GW: 97.140.141.129
SN: 255.255.255.248

I assume, I then add the 97 address to the WAN IP in the SonicWall.

Is this right? Is that how it normally works? I’m used to home routers where you get an IP address and that is it, none of this two IP address stuff, so I’m a bit confused by what they are telling me, and before I tell them they need to go out and buy a router, I want to make sure my facts are straight.

Thanks
Kevin

I was then told, that we lack a router.
The SonicWall device is doing NAT and DHCP? Congratulations, then, it is a router.

I’m used to home routers where you get an IP address and that is it, none of this two IP address stuff,

Your home router also uses two IP addresses. It has an IP address given to it by your ISP with which it communicates with the Internet (Wide-Area-Network ‘WAN’ address), and then it has a range of IP addresses that it uses internally to hand out to your internal network (Local-Area-Network ‘LAN’ addresses).

I assume, I then add the 97 address to the WAN IP in the SonicWall.

I think you have it backwards.

This is the WAN address of your router:
IP: 75.161.184.242
GW: 75.161.184.240
SN: 255.255.255.240

This seems to be the static IP address that your ISP says you should allocate to your web server for the pass-through:

IP: 97.140.141.130
GW: 97.140.141.129
SN: 255.255.255.248

I have no idea how you are supposed to set that up. Maybe your SonicWall router has an option that says ‘anything on ethernet port 5 is a passthrough, dont do any NAT to it, and here use this IP address and gateway on the device behind it’

Cisco calls this ‘One To One NAT’. I don’t know if its available on your Sonicwall router.

I found a document on google for you off of Sonicwall’s website about how to set up one-to-one NAT on sonicwall devices.

http://www.sonicwall.com/downloads/Creating_One_to_One_NAT_Policies_in_OS_Enhanced.pdf

from:
http://www.sonicwall.com/us/support/2134_3150.html

Thanks guys, but I’m not having problems setting up the SonicWall.

What they are telling me, is that unlike a home network where the router has an IP address that is public and then tosses out 192 private numbers as part of the NAT. They are saying that the router has TWO public numbers. One is assigned just to the device (The router) and then the other numbers, are distributed by the router as public numbers as well.

So the 75.161.184.242 is the IP address given to the router. This is the public side of the router, as I understand it. The WAN side.

The router then distributes another set of public numbers. Which is the 97.140.141.130 - 134 range. The LAN side.

But then I need another device (So in this case, the SonicWall) to grab one of those 97 numbers, and use it for NAT. And use the SonicWall’s passthrough (It has a thing for passthrough) to grab another IP from the 97 range for the static.

What I’m asking, is if that seems right? That the router would have two different IP addresses that are public. One that is set to its WAN side, and then a whole other set of public numbers that it distributes to other devices.

That seems odd to me, but that’s how they say it works.

For the record, if I use the 75 number, assign it to a device and connect out with it, I can browse the Internet no problem. If I use the 97 number, I can’t do anything. They are saying the router maps that public 97 number, somehow, through the router and through the 75 number.

I’m trying to figure out if that’s correct, or if I’m being told something that’s not true.

I can’t tell you if it’s true or not, only your ISP can. I can tell you that’s actually common though. You have the subnet that the router (in your case your Sonicwall) is on to the ISP. Typically this is a small subnet with two hosts, sometimes more if it’s a broadband type connection to the ISP for a business internet service. This sounds like you. It also sounds like the ISP gave you extra addresses on this subnet.

You then get a small subnet for hosted servers, which I think they are telling you as well. In the case of your sonicwall, this would be your “DMZ” usually. In your case it sounds as though either this was unused all along, or that it was given internally and DHCP distributed public addresses. I’m assuming it was never assigned to anything. But it’s possible the web server was on just such a port, and was moved to something different, and thus stopped working.

If your Sonicwall has only two ports marked WAN and LAN though, you’re going to have a tough time using that extra subnet. If it has a third port labeled DMZ or similar, you will be able to assign that extra subnet there, and the hosted web server will sit on that subnet by itself with a registered public address.

Let’s get back to your actual problem though, on your Sonicwall configuration somewhere you should have “static NAT” statements that apply “something” to the .243 address. Can you see if that’s there? What you need to verify here is what was the old IP, and are the rules still in place for it. Is there anything on your Sonicwall device that would indicate it lost config or has an issue?

If needed, PM me and I’ll give you my personal email to help a bit more. I haven’t worked with Sonicwalls in a while but this should be easy to fix as long as the ISP gave you the correct info.

Thanks Skipper, I really appreciate the help.

After a long conversation with the ISP. What he said, was that the WAN side uses the one public subnet, and that the LAN side uses the other public subnet. I can use multiple LAN interfaces with the SonicWall. So I don’t need the router between their setup and the SonicWall, which is good.

It’s strange, because when I connect to the SonicWall now, I go to 192.168.50.1 which is the LAN side IP that was assigned to the SonicWall. But what he’s telling me, is that the LAN needs to be a public number in the public subnet. And that they forward the packets that go to the LAN subnet through the WAN subnet on their side.

I dunno… Like I said, it seems strange to me. I understand what he’s saying, but every router I’ve ever communicated with was via the private IP range, and not a public IP number like this.

I’m going to go into their offices tomorrow and tinker around with it and see if I can get it to work like they are saying. If I can’t, I might take you up on helping me figure it out. I’ve just never seen a configuration like this.

What you are describing is what on Cisco routers we call “DMZ on a stick” or “NAT on a stick.” It’s where you configure an additional logical (but unconnected) interface for a public IP subnet, NAT things inside your network to it, but route it out a different public subnet to the ISP. While this is perfectly doable on Cisco’s I don’t think I’ve ever attempted nor do I know if that works on a Sonicwall, thus I think either they never used the addresses, or they used the default interface for something like that on the Sonicwall, usually (old school Sonicwalls) labeled DMZ. They may have made this more generic now, so if it’s got multiple interfaces on it, one may be set for lower security and this is the exact same thing.

It sounds to me as though whoever set the Sonicwall up originally assumed that because the mask for the ‘equipment’ IP was a /28 rather than a /30* it meant that your friends company had been assigned the entire range. Obviously this isn’t the case - we allocate addresses on our radio network in a similar manner; we have a large subnet from which we allocate single static IPs to customers. If a customer wants a larger range then we route that to their single static IP (or, we take the first host address in the range for use on our equipment as their next-hop gateway and they can use the rest on theirs, but typically we go for the first option).

What sometimes happens is what seems to have happened here - a customer sees the .240 subnet mask and decides that they’d like another address in the equipment range. Everything is fine and dandy for them until one day we unwittingly allocate that ‘stolen’ address to another customer and both of them start to experience problems as each device sending a packet with that contested address will cause our router to update its ARP cache to point at their network and traffic bound for customer A will go to customer B (and get dropped, more than likely) and vice versa when Customer A reclaims ownership in the ARP table. Thankfully later versions of the software on our CPE radios have an addressing filtering option so we can lock customers down to the addresses that we’ve allocated to them.

Now, you have a couple of options here. First things first though: I’d recommend that you don’t allocate that second block of public addresses to the LAN; keep the LAN addressing private. Unless, of course, your friend is paying you by the hour and you don’t mind spending hours trying to get malware off Windows machines :D

Now, as other have mentioned, check to see if the Sonicwall has some kind of DMZ port. It might not be labelled as a DMZ port but there may be the option of designating another port for that function. If I recall correctly - we used to sell Sonicwall TZ170s but it’s ages since I’ve seen one - the port may actually be labelled as ‘OPT’ because you can also use it to do WAN failover. Have a good root around the Sonicwall’s web UI to see if there’s anything in there of use. Once you find the DMZ option (if it exists) it should be fairly straightforward to figure out and get it running.

Failing that, check the NAT/port-forwarding rules. Your cheapr SOHO firewall/router devices don’t normally support this but when you’re configuring a NAT rule on a more sophisticated device you can often specifically set the WAN address rather than just selecting ‘WAN Interface’ from a drop-down. So you’d add a rule that ‘says’ packets with a destination of port 80 on 97.140.141.130 should be forwarded to [ip of web server]. You’ll need a reciprocal rule that NATs the web server’s LAN address to 97.140.141.130 since that’s the address that customers will expect to see traffic come back on.

Finally, if the Sonicwall in question doesn’t have either of these features then don’t despair - check to see what version of software is running both in terms of major.minor revisions and in terms of Basic vs. Enhanced. You can upgrade from Basic to Enhanced for the price of a license. Not expensive if I recall correctly.

Yeah, on a decent firewall/router you can usually assign multiple public IP addresses to a single external interface. While you choose one of these as the gateway for your LAN, you can use the other(s) as static maps to other internal devices. You don’t necessarily need a separate physical DMZ port to accomplish this.

Ok, thanks for everyone’s help and comments. I did manage to get this working today. Just like you suggested, I created a new interface and pointed the Gateway on the server to that interface’s IP. Everything came together after that.

Chalking the whole thing up as a learning experience. Never saw that kind of config before, but I’m glad there weren’t any extra router purchases required to get it all done.

Thanks again!

Glad you got it working Kevin, another notch on your IT belt sir! :)

Glad to hear you got it sorted! If you do any more work in this area you’ll quickly get used to that kind of topology. You can achieve something similar without the use of a DMZ but it quickly gets complicated when you start throwing things like SIP+RTP or FTP into the mix.