interfacesonicwallsubnet
I have two interfaces on NSA 220 configured as follows
Real interface X2
192.168.1.1/24
LAN Zone
Virtual interface X2:V1
192.168.2.1/24
VLAN ID 100
LAN Zone
In this configuration computers in any of the subnets above can successfully reach each others, what I need to do is to block traffic between these two subnets?
How do I do this?
fter a long series of testing and support calls, Sonicwall produced a 'hotfixed' firmware that seems to fix this issue by adding a check box in the interface configuration to allow duplicate MAC addresses for devices that have multiple IP addresses on a single interface. So far this has proved to resolve the issue.
Hotfix # 142099
No word yet on if this will be released into the next production firmware but the tracking ID for this is the same as the hotfix # and should be referenced in release notes.
I had previously answered this but the answer was deleted...
One option is to connect both switches together and create two vlans that span across both switches. Connect the routers and the WAN side of the FW to VLAN 1. Connect the LAN side and the servers to VLAN 2. If you run HSRP on the routers, that is your default gatewway for the firewall. Here is a logical diagram. Let me know if you need help configuring trunking on the switches.
Best Answer
By default the LAN Zone has Interface Trust enabled, which means all interfaces within the same Zone trust each other (pass traffic). Go to Network, Zones, and Edit the Zone in question (LAN) and remove the checkmark from Allow Interface Trust. This will remove the auto-added LAN<->LAN Allow ANY/ANY/ANY rule.
Alternatively if these are NOT really both part of the same Zone (security context) then either change one of the interfaces to a different Zone (eg. DMZ) or create a new Zone. By default traffic between Zones is only allowed from "more trusted" to "less trusted" (but not the other way. Eg. from LAN to DMZ but not DMZ to LAN).