We have a sonicwall tz series FW with two internet service providers connected.
One of the providers has a wireless service which works a bit like an ethernet switch in that we have an ip with a /24 subnet and the gateway is .1. All other clients on the same subnet (say 195.222.99.0) have the same .1 gateway - this is important, read on.
Some of our clients are also on the same subnet.
Our config:
- X0 : Lan
- X1 : 89.90.91.92
- X2 : 195.222.99.252/24 (GW 195.222.99.1)
X1 and X2 are not connected, other than both being connected to the public Internet.
Client config:
- X1 : 195.222.99.123/24 (GW 195.222.99.1)
What fails, what works:
- Traffic 195.222.99.123 (client) <-> 89.90.91.92 (X1) : Spoof alert
- Traffic 195.222.99.123 (client) <-> 195.222.99.252 (X1) : OK - no spoof alert
I have several clients with IPs in the 195.222.99.0 range and all provoke identical alerts.
This is the alert I see on the FW:
Alert Intrusion Prevention IP spoof dropped 195.222.99.252, 21475, X1 89.90.91.92, 80, X1 MAC address: 00:12:ef:41:75:88
Anti-spoofing is switched off on my FW (network->mac-ip-anti-spoofing -> config for each interface) for all ports
I can provoke the alerts by telneting to a port on X1 from the clients.
You can't argue with the logic - this is suspicious traffic. X1 is receiving traffic with a source IP which corresponds to X2s subnet.
Anyone know how can I tell the FW that packets with a src subnet of 195.222.99.0 can legitimately appear on X1?
I know whats going wrong, I've seen the same thing before, but with higher end FWs you can avoid this with a few extra rules. I can't see how to do this here. And before you ask why we're using this service provider - they give us 3ms (yep 3ms, thats not an error) delay between routers.
After logging into the sonicwall, go to the diagnostic interface by adding "diag.html" to the URL (If you access your router at
https://192.168.5.1
, go tohttps://192.168.5.1/diag.html
)You'll get a warning that you can break things, continue on by clicking "Internal Settings" on the lefthand menu. About a third of the way down, you'll see a check box to disable IP spoof detection.
Uncheck the box and see if that makes a difference.
Do you have both connections (X1 and X2) connected to the same broadcast domain (for example, are they both plugged into the same switch? That can cause spoof messages). Keep each connection in its own broadcast domain.
If that's not the case, how is traffic for X2 reaching the X1 interface?