sonicwall
Sonicwall NSA-240 – Fully patched and updated.
X0=LAN 192.168.1.0 (primary site)
X1-WAN1 10.10.10.2
X2-WAN2 70.151.12.10
X1-WAN1 192.168.100.0 (secondary site)
I now have a new ATT MPLS circuit on WAN1. Traffic from our secondary site that is destined for our X0 subnet is routed over WAN1 via ATT cloud based firewall.
I need to allow all traffic from 192.168.100.0 on WAN1 access to the LAN.
I am thinking transparent or L2 bridge mode? Any help appreciated.
With the Sonicwall Enhanced OS you can define Address Objects and Service objects to make management much simpler. First, make sure your host or server is listed as an Address Object under Network -> Address Objects. Then move on to Network -> Services to add your services you wish to route. Note that you can add individual services and put them into groups. This makes it simpler to route items based on individual ports or port groups.
Once your Address Object and Services are ready, go to the Firewall->Access Rules and make sure you Allow the service(s) you wish to route from the WAN to LAN zones. Now that you've allowed the traffic you can go to Network -> NAT policies and click Add at the top. Here you will use the Address Object and Service/Service group that you created.
Above you see that the source is ANY allowing all external IPs, the Translated Source keeps the original information, the Original destination is your WAN IP of your WAN interface, the Translated Destination is your target host, and the Original Service is the ports you wish to map to that target server. You can translate the services if you like, for instance routing port 3390 to 3389 for RDP on a machine to avoid registry hacks but ensure you have a reverse rule enabled for the outbound path. You can also define which interfaces this policy is bound to if you like, so for your example the Inbound would be x1 and Outbound x5.
This should allow you to point to your external IP for these services via x.x.x.x:port and route to the target server.
EDIT:
For the internal routing under Network-->Zones choose LAN and check the box for Allow Interface Trust. This should allow traffic to flow between interfaces. Keep in mind this does open all LAN interfaces to share traffic so any segmentation that is currently configured may be broken. If you do not wish for all traffic to be trusted between interfaces then do not use this option.
For specific LAN routing you can manually add a route from x5 subnet to x0 subnet over any service with the local gateway (0.0.0.0) and use the x0 interface. If you wish to route directly to an individual host then select it as your Destination instead of the x5 Subnet. Make sure that there is a converse rule to allow traffic from that host to the x0 subnet as well.
Since you're doing static DHCP leases in the same subnet based on MAC I would recommend the following:
Use the X0 interface for your LAN and setup the DHCP server with the static leases. To do this look under Network->DHCP Server and select 'Add Static' to set each lease. Use X1, X2 and X3 as your WAN interfaces.
Under Network->Address Objects setup 3 objects as ranges for the IPs you wish to group. Such as X.X.X.1 to X.X.X.51 as IP Group 1.
Under Network->Routing setup static routes for outbound traffic for each range to use the desired gateway. As an example:
SOURCE: IP Group 1 (address object for first IP group) Destination: All WAN IP SERVICE: ANY GATEWAY: X1 Default Gateway (This is the first ISP connection) INTERFACE: X1 METRIC: 2 COMMENT: IP GROUP 1 TO ISP 1
I would also recommend checking 'Disable Route when the interface is disconnected' to allow for low-level failover if the interface gets unplugged.
This will allow you to use 1 LAN interface to accomplish what you wanted to setup.
Best Answer
You do not need transparent mode. Your firewall will forward traffic from the WAN1 to the LAN interfaces, assuming your policies allow it. To configure these policies, you will need to create firewall rules for the LAN to WAN and also be sure to add routes to this firewall and the firewall at your secondary site for 192.168.100.0/24 and 192.168.1.0/24 (respectively) so that traffic will route through the correct gateway.