July 25th, 2005, 11:15 PM
SonicWALL TZ 170
Need some help from the greater experts on what I'm doing wrong here. Here's the scenario:
Office LAN with two gateways (one DSL, the other T1), each protected by an older SonicWALL hardware firewall.
Just purchased a new SonicWALL TZ 170 to review for possibly replacing the old SonicWALL units.
So I have a test box set up in my office that's connected to our LAN. I plugged the SonicWALL into a switch here in my office that's connected to the LAN and placed the test box behind it.
The SonicWALL has successfully receive both a WAN and LAN IP, so it looks like all the connections are working well.
Configuration isn't set yet to block any traffic.
But here's where it gets wierd:
The box behind the TZ 170 cannot ping any other box on the network. Likewise, no computers on the LAN can ping the test box behind the firewall. In fact, they can't even ping the firewall itself.
The firewall, though it shows itself as being connected to the WAN, cannot connect to the Internet to download updates and whatnot. I get the message "DNS lookup failed, please check your DNS server settings".
So, two questions:
(1) What could I be doing wrong? It sees the LAN, sees the WAN, but no connection to the outside world or any other machines?
(2) Would this problem disappear once I connect it directly to the router? Will that make things easier?
July 26th, 2005, 12:23 PM
Is there a DNS server on your LAN?
Does the firewall support Dynamic IP assignment?
Does your firewall attempt to act as a DNS server?
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.
July 26th, 2005, 05:55 PM
July 26th, 2005, 09:46 PM
A few thoughts.
Is the firewall pluged into a switch or a hub?
check subnet masks
ip on box behind firewall.
nat settings enabled on new router?
July 26th, 2005, 10:53 PM
Subnet mask properly configured.
IP address manually set on box behind firewall, configured properly with appropriate subnet mask and gateway.
NAT is indeed enabled.
Confusing huh? Thanks guys.
July 26th, 2005, 11:26 PM
what is acting as DHCP server on your LAN Is it another SonicWall or Win2k domain contr.
July 26th, 2005, 11:38 PM
Got a W2k DC handling the DHCP.
Also, I'm going to try plugging it directly into the router after hours today and see if that makes any difference...
July 27th, 2005, 01:40 AM
Please let us know if pluging into router changes the result.
Did you configure the switches and, if you don't mind, what make and model.
I'm thinking that the traffic from the new firewall might be "trapped" at the switch???
I set snmp traps to prevent stupid users from pluging a linksys wireless router into my network. Just a thought
July 27th, 2005, 05:10 PM
i can't go any further w/out knowing your exact setup but
1. make sure that your new firewall doesn't try to act as any kind of server... and is ready to recieve dynamic IP
2. make sure that the ADC/PDC gives correct information via DHCP... you should have it set up as PDC and make all DNS requests go throught it (after that... you can resolve them from you ISP router or any static IP you've got)
edit: win2k servers are picky bastards about controlling everything... the AD depends on it
3. restart shutdown your DHCP services and make sure that the IP pool is big enough ... ****... enlarge it even more
i think that (if the switch is ok) this is a simple matter of chaining the devices properly. hope this helps ...let us know what it was
July 28th, 2005, 09:21 PM
Attaching it to the router fixed the problem. Now all boxes on the LAN can to talk to each other, the WAN, and the firewall with no problems.
But now, I have a new problem!
Ever since the new firewall was put in, our DSL has slowed down. It seems something's clogging at the firewall. So I tried to access the DSL router's web panel, and instead it timed out and never connected.
So after some detective work, I decided to plug a laptop directly into the router, thus bypassing the firewall. Entered the IP into my web browser again, and sure enough, it connected and logged me right on.
So evidently the firewall is blocking web access from any machine within the LAN to the router.
Also, this keeps appearing the log:
Malformed or unhandled IP packet dropped 192.168.1.254, 0, WAN 126.96.36.199 IP Protocol 2
I added a rule to allow all traffic from the LAN to the IP address of the router. Didn't help.