Re: SonicWall SOHO2 DHCP client without NAT; or without an IP address?
From: wailakig (wailaki@batnet.com)Date: 03/16/02
- Next message: Dr. Bob: "Re: What is the best firewall around?"
- Previous message: NT Canuck: "Re: What is the best firewall around?"
- In reply to: Kartik Subbarao: "Re: SonicWall SOHO2 DHCP client without NAT; or without an IP address?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: wailaki@batnet.com (wailakig) Date: 16 Mar 2002 09:44:22 -0800
Hi Kartik:
The short answer to almost every one of your questions is no,
unfortunately. However, I'll try to explain why, and then ultimately,
even solve the VPN issue.
If you have only one dynamic IP from Comcast, you must use 'NAT w/
DHCP client mode on the General - Network screen.
You also cannot use the DHCP passthrough feature in that scenario,
because the public IPs given out to Comcast DHCP leasees are not the
IPs you need on your LAN. Usually you would use non-routable IPs like
10.x.x.x or 192.168.x.x on your LAN, since NAT is on.
You cannot acquire more than one dynamic, real IP from Comcast with
your SonicWALL appliance under any circumstances.
The DHCP passthrough feature doesn't appear to work in my limited
testing, even with v.6.2.0.0. This feature is intended for use in
situations in which the gateway router is onsite, and running NAT and
DHCP server for LAN workstations. Plus, in those situations, the
SonicWALL itself cannot get a dynamic IP from that router, without
itself running a second layer of NAT (trust me, two layers of NAT is
reserved for those sysops who like trouble -- :-)
btw, SonicWALL VPN is designed for use when NAT is on, so that is not
your problem.
If you're using the v.6.2.0.0 GroupVPN feature and find that users
connect only for about 3 minutes, there is a known fix for this
behavior.
log in normally, using http://(lanipaddress), then use
http://(lanipaddress)/diag.html - (then go to Advanced Prefs); this
undocumented page has many dangerous settings on it, but you can use
it to disable 'IKE dead peer detection.' Submit the change on that
bottom of that screen.
You'll know this is the right fix if GroupVPN users' Log Viewer shows
lots of keepalive entries around the time of the disconnect. Those
users are probably behind a NAT device themselves, which is blocking
incoming IKE (UDP #500).
-- JohnL
Kartik Subbarao <subbarao@computer.org> wrote in message news:<3C920F95.8040008@computer.org>...
> SonicWall has a checkbox option "Allow DHCP Pass Through", but if you
> turn that on, you lose the ability for the SonicWall to get its OWN IP
> address via DHCP. So it doesn't solve my problem completely :-(
>
> I'm actually fairly optimistic, though, that addresses *won't* change
> often. Because I'll be able to consistently renew the same address lease
> via DHCP. Unless Comcast's DHCP server crashes and forgets about its
> leases, I can't see why I wouldn't be able to renew the same DHCP
> address again and again.
>
> -Kartik
>
> Lurker#2 wrote:
> > Kartik,
> > I've never tried it, but, you should be able to do this by
> > - Turning off NAT
> > - Create a rule allowing UDP 68 LAN to WAN
> > Of course by doing this you won't be able to create any "machine specific"
> > rules.
> > i.e. allow outbound port 21 only for <ip address>
> > because addresses will change from time to time.
> >
> >
> > "Kartik Subbarao" <subbarao@computer.org> wrote in message
> > news:3C915738.6010506@computer.org...
> >
> >>Short version: Is there any way for the SonicWall SOHO2 to get its own
> >>IP address via DHCP, but NOT perform NAT at the same time? What I want
> >>is for the SonicWall AND the systems behind it to get their IP addresses
> >>*directly* from Comcast's DHCP server (I've purchased additional IP
> >>addresses from Comcast). I *don't* want the SonicWall performing NAT, as
> >>it degrades my VPN and other applications.
> >>
> >>Alternatively, is there any way for the SonicWall to not need a
> >>(routable) IP address itself -- just apply rules to any traffic going
> >>between its WAN and LAN links?
> >>
> >>Okay, now for the long version:
> >>
> >>I used to subscribe to Comcast @Home Pro's service, which provided
> >>static IP addresses. This worked fine -- I would statically assign the
> >>IP address of the SOHO2, as well as the other systems. But as we all
> >>know, @Home went bankrupt and Comcast came out with their own network,
> >>and they don't currently give out static IP addresses with their Pro
> >>service. Since the SonicWall seems to need an IP address, I need to
> >>obtain one for it via DHCP. I also want the systems behind it to get
> >>real IP addresses (since I run VPN and related things that don't take
> >>well to NAT). But when the SOHO2 is configured as a DHCP client, that
> >>automatically turns on NAT for the systems behind it :-(
> >>
> >>I've noticed that the IP addresses I get from Comcast's DHCP server are
> >>within a limited range, and the gateway and subnet mask are always the
> >>same. So in this case, it would be possible to have the SonicWall obtain
> >>its IP address and gateway information independently of the systems
> >>behind it. Does anyone have any recommendations on how I can configure
> >>the SOHO2 to do what I want? Right now I'm limping along with NAT, and
> >>my VPN connections hang regularly.
> >>
> >>One idea I'm thinking about is setting up the SOHO2 to get its IP
> >>address once via DHCP, and then set it back to static mode. I would then
> >>periodically issue a DHCP Request packet from another computer (using
> >>the "relay agent" feature of DHCP) on *behalf* of the SOHO2, to renew
> >>its IP address. Assuming that the renew request doesn't fail, this might
> >>be workable.
> >>
> >>But ideally, I'd like to not have to play those kinds of DHCP games and
> >>keep things simple. Any technical solutions from the firewall/router
> >>wizards? Or are there any other firewalls within the price range of the
> >>SOHO2 that could do what I want? Or does anyone know if I can buy static
> >>IP addresses from Comcast? :-)
> >>
> >>Thanks in advance for any suggestions.
> >>
> >>-Kartik
> >>
> >
> >
> >
- Next message: Dr. Bob: "Re: What is the best firewall around?"
- Previous message: NT Canuck: "Re: What is the best firewall around?"
- In reply to: Kartik Subbarao: "Re: SonicWall SOHO2 DHCP client without NAT; or without an IP address?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
