cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3615
Views
30
Helpful
13
Replies

No Internet on Guest Vlan

ReubenVGonzales
Level 1
Level 1

I have a Cisco wireless AP. It's configured for Vlan 1 and Vlan 30. Vlan 1 is our internal subnet. Vlan 30 is the "Guest" network. I've worked my way through the switches to make sure the Guest Vlan is configured. It is on certain ports. The router is giving out an IP for the guest network on the subnet assigned. But from there, no one on the Guest network can access the internet.

On the router is see this:

ip dhcp pool Guest
network 172.16.30.0 255.255.255.0
domain-name (company-name).com
dns-server 209.18.47.61 4.2.2.2
default-router 172.16.30.254

______________________________

interface Vlan30
ip address 172.16.30.254 255.255.255.0

 

The IP of the Router is 10.10.10.254. 

 

From the router we have a connection to a Sonicwall and our ISP. I know the IP address of our Sonicwall (10.10.10.250). I don't see this anywhere in the running-config. Should I? Like I said, VLAN 1 is able to get an IP from our DHCP server and go out to the internet. Nothing on VLAN 30. Any help would be appreciated.

 

The router is a UC560

 

13 Replies 13

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

What is the output of sh ip route on your router?

 

You may be encountering several issues here:

1) The Sonicwall does not have a route for 172.16.30.0/24

2) Where is NAT performed? What ever the device, does it perform NAT for 172.16.30.0/24 ?

 

Can you share the config of the router?

 

Cheers,

Seb.

Thank you for the reply. The info is pasted below. Topology shown at the end. Should NAT be set at the first router? It doesn't seem to be enabled at this point. I'm unsure of where to check on the Sonicwall. VLAN90 and VLAN100 are for voice.

 

UC560#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
C 10.1.1.0/24 is directly connected, Vlan100
L 10.1.1.1/32 is directly connected, Vlan100
C 10.1.10.0/30 is directly connected, Vlan90
S 10.1.10.1/32 is directly connected, Vlan90
L 10.1.10.2/32 is directly connected, Vlan90
C 10.10.10.0/24 is directly connected, Vlan1
L 10.10.10.254/32 is directly connected, Vlan1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.30.0/24 is directly connected, Vlan30
L 172.16.30.254/32 is directly connected, Vlan30

UC560#sho ip int
GigabitEthernet0/0 is up, line protocol is down
Internet address is 10.20.20.253/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check
Integrated-Service-Engine0/0 is up, line protocol is up
Interface is unnumbered. Using address of Vlan90 (10.1.10.2)
Broadcast address is 255.255.255.255
MTU is 1514 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check
GigabitEthernet0/1/0 is up, line protocol is down
Internet protocol processing disabled
GigabitEthernet0/1/1 is up, line protocol is up
Internet protocol processing disabled
GigabitEthernet0/1/2 is up, line protocol is down
Internet protocol processing disabled
GigabitEthernet0/1/3 is up, line protocol is up
Internet protocol processing disabled
Serial0/3/0:0 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:1 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:2 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:3 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:4 is up, line protocol is up
Internet protocol processing disabled
Serial0/3/0:5 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:6 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:7 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:8 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:9 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:10 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:11 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:12 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:13 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:14 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:15 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:16 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:17 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:18 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:19 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:20 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:21 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:22 is down, line protocol is down
Internet protocol processing disabled
Serial0/3/0:23 is up, line protocol is up
Internet protocol processing disabled
Vlan1 is up, line protocol is up
Internet address is 10.10.10.254/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check
Vlan30 is up, line protocol is up
Internet address is 172.16.30.254/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Vlan90 is up, line protocol is up
Internet address is 10.1.10.2/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check
Vlan100 is up, line protocol is up
Internet address is 10.1.1.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check

Topology.PNG

The issue you explained has all the signs of a routing issue.

From your firewall LAN interface you should be able to ping the Gateway assigned to the Guest Network, if you are unable to do so please check to ensure that you have a static route pointing to the next hop with the guest network as the destination network , if there are other devices in the path the same procedure should be followed until connectivity is established to the guest network.

Also ensure that you have a NAT translation setup for that particular subnet in your FW as well.

 

Cheers

 

****PLEASE REMEMBER TO RATE ALL HELP FULL POSTS****

 

P.Williams

Please view the topology below. I don't see any information on the Sonicwall for the guest subnet 172.16.30.x or the router that VLAN is assigned to: 172.16.30.254. From the guest network I cannot ping to a different subnet. The ping commands issued and results are here:

UC560#ping 10.10.10.254 source vlan 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.254, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
WEDG_UC560#ping 8.8.8.8 source vlan 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.254
.....
Success rate is 0 percent (0/5)
WEDG_UC560#ping 10.10.10.254 source vlan 30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.254, timeout is 2 seconds:
Packet sent with a source address of 172.16.30.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
WEDG_UC560#ping 8.8.8.8 source vlan 30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.30.254

 

Would the static route be placed on the US560 or the Sonicwall.....or both?

 

Topology.PNG

Hello

I doubt the switch will be performing any NAT unless it an high device so I am guessing either the sonicwall is s doing this or your ISP modem.

So from the switch to verify connectivity for that vlan 30  can you ping to the FW ( if icmp is allowed) and the internet so to verify what @Patrick.Williams and @Seb Rupik mentioned

Ping 10.10.10.254 source vlan 1 
Ping 8.8.8.8 source vlan 1

Ping 10.10.10.254 source vlan 30
Ping 8.8.8.8 source vlan 30

show ip arp
show ip route

Post the results of the above along with of router /switch configuration if applicable.  


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I totally agree , the Sonic FW will most likely doing the NAT translations.

P.Williams

Thank you for the reply. The info is pasted below:

 

UC560#ping 10.10.10.254 source vlan 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.254, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
WEDG_UC560#ping 8.8.8.8 source vlan 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.254
.....
Success rate is 0 percent (0/5)
WEDG_UC560#ping 10.10.10.254 source vlan 30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.254, timeout is 2 seconds:
Packet sent with a source address of 172.16.30.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
WEDG_UC560#ping 8.8.8.8 source vlan 30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.30.254
.....
Success rate is 0 percent (0/5)

 

UC560#sho ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 - 68ef.bd40.e742 ARPA Vlan100
Internet 10.1.1.13 3 001b.d5e8.6212 ARPA Vlan100
Internet 10.1.1.14 9 0004.f2eb.4c32 ARPA Vlan100
Internet 10.1.1.15 8 0004.f2e8.964c ARPA Vlan100
Internet 10.1.1.16 12 1cdf.0f4a.6a8a ARPA Vlan100
Internet 10.1.1.17 2 1cdf.0f4a.66ec ARPA Vlan100
Internet 10.1.1.18 10 1cdf.0f4a.6b0d ARPA Vlan100
Internet 10.1.1.19 6 1cdf.0f4a.6609 ARPA Vlan100
Internet 10.1.1.20 10 1cdf.0f4a.6600 ARPA Vlan100
Internet 10.1.1.22 14 1cdf.0f4a.bc14 ARPA Vlan100
Internet 10.1.1.23 11 1cdf.0f4a.6a8f ARPA Vlan100
Internet 10.1.1.24 11 1cdf.0f4a.6a1f ARPA Vlan100
Internet 10.1.1.26 7 1cdf.0f4a.6b47 ARPA Vlan100
Internet 10.1.1.27 8 1cdf.0f4a.6a18 ARPA Vlan100
Internet 10.1.1.28 12 1cdf.0f4a.6604 ARPA Vlan100
Internet 10.1.1.32 11 1cdf.0f4a.6a1b ARPA Vlan100
Internet 10.1.1.35 5 1cdf.0f4a.6a2a ARPA Vlan100
Internet 10.1.1.38 3 1cdf.0f4a.6b3a ARPA Vlan100
Internet 10.1.1.45 8 1cdf.0f4a.6b15 ARPA Vlan100
Internet 10.1.1.50 7 1cdf.0f4a.6a98 ARPA Vlan100
Internet 10.1.1.52 9 1cdf.0f4a.6610 ARPA Vlan100
Internet 10.1.1.53 6 1cdf.0f4a.6bbe ARPA Vlan100
Internet 10.1.1.54 6 1cdf.0f4a.6a20 ARPA Vlan100
Internet 10.1.1.56 10 1cdf.0f4a.6b1b ARPA Vlan100
Internet 10.1.1.58 7 1cdf.0f4a.6a1a ARPA Vlan100
Internet 10.1.1.59 4 1cdf.0f4a.6b34 ARPA Vlan100
Internet 10.1.1.60 13 1cdf.0f4a.6b0c ARPA Vlan100
Internet 10.1.1.61 8 1cdf.0f4a.66a1 ARPA Vlan100
Internet 10.1.1.63 5 1cdf.0f4a.6a7e ARPA Vlan100
Internet 10.1.1.64 4 1cdf.0f4a.6729 ARPA Vlan100
Internet 10.1.1.65 7 1cdf.0f4a.672a ARPA Vlan100
Internet 10.1.1.66 9 1cdf.0f4a.6607 ARPA Vlan100
Internet 10.1.1.67 2 1cdf.0f4a.6b38 ARPA Vlan100
Internet 10.1.1.68 0 1cdf.0f4a.6b93 ARPA Vlan100
Internet 10.1.1.70 4 1cdf.0f4a.6b42 ARPA Vlan100
Internet 10.1.1.71 9 1cdf.0f4a.6b37 ARPA Vlan100
Internet 10.1.1.73 7 1cdf.0f4a.6a82 ARPA Vlan100
Internet 10.1.1.74 8 1cdf.0f4a.6a21 ARPA Vlan100
Internet 10.1.1.77 3 1cdf.0f4a.6a8d ARPA Vlan100
Internet 10.1.1.79 4 1cdf.0f4a.6a24 ARPA Vlan100
Internet 10.1.1.81 6 1cdf.0f4a.6b3e ARPA Vlan100
Internet 10.1.1.82 4 1cdf.0f4a.6b3c ARPA Vlan100
Internet 10.1.1.83 6 1cdf.0f4a.6768 ARPA Vlan100
Internet 10.1.1.84 12 1cdf.0f4a.6b13 ARPA Vlan100
Internet 10.1.10.1 0 00e0.0c02.00fd ARPA GigabitEthernet0/1/3
Internet 10.1.10.2 - 68ef.bd40.e742 ARPA Vlan90
Internet 10.10.10.19 0 788a.20df.9647 ARPA Vlan1
Internet 10.10.10.34 0 f46d.0499.f6da ARPA Vlan1
Internet 10.10.10.37 0 0025.905c.e6e7 ARPA Vlan1
Internet 10.10.10.39 0 44a8.424b.91df ARPA Vlan1
Internet 10.10.10.42 0 0015.5d0a.2702 ARPA Vlan1
Internet 10.10.10.46 0 0015.5d0a.2706 ARPA Vlan1
Internet 10.10.10.68 0 d89e.f375.66e2 ARPA Vlan1
Internet 10.10.10.85 0 10c3.7b91.51c7 ARPA Vlan1
Internet 10.10.10.140 0 485b.3905.5eb8 ARPA Vlan1
Internet 10.10.10.200 0 0022.19b9.f5a9 ARPA Vlan1
Internet 10.10.10.203 0 0015.5d0a.ca07 ARPA Vlan1
Internet 10.10.10.223 0 30e1.713c.187e ARPA Vlan1
Internet 10.10.10.224 0 101f.7448.fe08 ARPA Vlan1
Internet 10.10.10.228 1 0026.73a0.bbe7 ARPA Vlan1
Internet 10.10.10.230 0 001e.4f91.508d ARPA Vlan1
Internet 10.10.10.250 0 18b1.69bc.f928 ARPA Vlan1
Internet 10.10.10.254 - 68ef.bd40.e742 ARPA Vlan1
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.20.20.253 - 68ef.bd40.e751 ARPA GigabitEthernet0/0
Internet 172.16.30.39 0 ac37.4302.8863 ARPA Vlan30
Internet 172.16.30.47 9 ac5f.3e90.41ba ARPA Vlan30
Internet 172.16.30.48 0 8c45.0073.bad1 ARPA Vlan30
Internet 172.16.30.254 - 68ef.bd40.e742 ARPA Vlan30

 

 

UC560#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
C 10.1.1.0/24 is directly connected, Vlan100
L 10.1.1.1/32 is directly connected, Vlan100
C 10.1.10.0/30 is directly connected, Vlan90
S 10.1.10.1/32 is directly connected, Vlan90
L 10.1.10.2/32 is directly connected, Vlan90
C 10.10.10.0/24 is directly connected, Vlan1
L 10.10.10.254/32 is directly connected, Vlan1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.30.0/24 is directly connected, Vlan30
L 172.16.30.254/32 is directly connected, Vlan30

 

Hello,

 

in addition to the other posts, and I am not sure if this has already been mentioned, if Vlan 1 can get out to the Internet, you could do double NAT (once on your router and once on your SonicWall):

 

--> VLAN 1 is able to get an IP from our DHCP server and go out to the internet. 

 

Try this:

 

interface Vlan1

ip address 10.10.10.254 x.x.x.x

ip nat outside

!

interface Vlan30
ip address 172.16.30.254 255.255.255.0

ip nat inside

!

ip nat inside source list 1 interface Vlan 1 overload

!

access-list 1 permit 172.16.30.0 0.0.0.255

Let us know you diagnosis results based on @Georg Pauwen latest post.

P.Williams

It seems the access list is already setup for any:

UC560#show access-lists
Extended IP access list 100
10 deny ip 192.168.10.0 0.0.0.255 any
20 deny ip host 255.255.255.255 any
30 deny ip 127.0.0.0 0.255.255.255 any
40 permit ip any any
Extended IP access list 105
10 deny ip any 10.10.10.0 0.0.0.255
20 deny ip any 10.1.10.0 0.0.0.3
30 deny ip any 10.1.1.0 0.0.0.255
40 permit ip any any

 

This is a live production area. Do you think at this point, since VLAN1 can indeed reach the internet, it would be safe for me to issue the commands you wrote for VLAN30 ? No chance of bringing the production area down? 

dperezoquendo
Level 1
Level 1

Hello,

I haven't seen any mention of ensuring the Sonicwall is even allowing the VLAN 30 subnet through to the Internet. Has this been even verified yet?

Our Sonicwall has a single line coming from the router. X0 is setup for the 10.10.10.x subnet. How would I setup VLAN30 (172.16.30.x) to have access through that interface?

You'll need to check the Access Rules between the LAN and WAN zones. Keep in mind that these zones may be labeled differently on your device. By default, there should be an any to any  from LAN to WAN but it may be possible that it was removed for security reasons. If you don't see an any to any rule then I recommend, to maintain some of the security that appears to have been placed, creating a new address object for VLAN30 and then creating a rule for it. 

It's been awhile since I touched Sonicwalls so I don't recall exactly all the menu's and whatnot but hopefully the below link may be helpful. 

https://www.sonicwall.com/en-us/support/technical-documentation/sonicos-6-5-policies/configuring-access-rules#1192875

Also, since we're checking the Sonicwall, another thing to be wary of would be the routing configuration on your Sonicwall. From all the previous posts, I see your pings go to .254, not .250 as well as all pings failing 8.8.8.8. So I assume this is because ICMP is not allowed on your Sonicwall but I think you should check that as well. 

In all honesty, I recommend going back and following Patrick Williams troubleshoot. His troubleshoot involved doing things from the Firewall, of which you never did. The Sonicwall should have Ping Diagnostic tool that can be utilized though I don't remember how good the tool is or if it will even work if ICMP is blocked. 

Overall, re-verify your routing & access rules from the Sonicwall to the new subnet, not just the inside router to the guest network. Then focus on the whole NAT stuff if everything else looks good.