SonicWALL Pro 230 -- help with reconfiguration?

David Wolfskill david at catwhisker.org
Mon Sep 6 17:53:48 PDT 2010


Someone I know has a SonicWALL Pro 230, and needs help getting it
reconfigured, for which he's willing to pay.

He had ut set up so that:

* The DMZ port was unused.
* There was one server outside the firewall (on the same net as the
  Internet router & the WAN port of the SonicWALL.
* The machines in the net on the LAN port were also using the same
  routable /24 that he had been assigned by his provider.
* Each machine has its address hand-assigned.

He's planning to switch ISPs, and the new ISP won't provide a /24 --
the biggest subet he can get is a /29.

Since the SonicWALL supports NAT, I put together a plan for him to
migrate to a state where:

* All publicly-accessible machines are on the DMZ net.
* All machines in the DMZ use a private net & NAT.
* All machines in the LAN use a private net & NAT.
* The SonicWALL's DHCP server is activated & used for the LAN.

The idea is that once the config is fixed, he'll only need to change the
one address, and he's good to go.  (Yeah, there's some DNS stuff to deal
with....)

We got partway through -- the servers are on the DMZ, but using their
routable addresses -- and now, when he switches the SonicWALL to NAT
mode & sets the LAN BIC to 192.168.168.253/24, the LAN becomes pretty
much unusable.

It turned out that he had 90 access rules, many of which referred to the
old routable address ranges,  I've talked him through reducing the
number of rules, but he really doesn't want to break access to his Web
server.  (He has all services local on premises -- no colo.)

I confess that I have no prior experience wrangling a SonicWALL device,
though I'm fairly familiar with the general principles -- my home
firewall is a triple-homed "beige box" running FreeBSD.  And I'm fairly
confident that I could put together a machine that would handle the
traffic, routing, blocking, and NAT, but the UI would be ... unpleasant.

While he & I have a good working reelationship, I don't believe he's
being well-served by my lack of competence here.  I'm out of my depth,
and either need someone to take over for this, or teach me the error of
my ways.  

Help?

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://www.baylisa.org/pipermail/baylisa/attachments/20100906/84f2d24a/attachment.bin>


More information about the Baylisa mailing list