Monday, August 26, 2013

Sonicwall NSA: When Your Upstream Provider Gives You Two (or multiple) Subnets

In this example our upstream provider (ISP) is giving us on the WAN side, but let’s say we need more IP Addresses, so they are also giving us  Since the WAN is defined as, we cannot simply make a NAT policy for the second subnet because it is out of the scope of the first subnet’s broadcast domain.  SonicWALL does not know exists.  This is actually really easy to get working, but the documentation I found on it was for older SonicOS versions.  I am using the SonicWALL NSA220W demo portal available here.

Under Network -> Interfaces you can see our primary WAN subnet as the X1 interface:

First we need to make an Address Object for the second subnet.  Browse to Network -> Address Objects.  Under Address Objects click Add…  I named mine X1 Second Subnet, it’s going to be on the WAN side, with a range of IP addresses in the second subnet, like so:

Now we need to create a Route, so traffic coming into the second subnet gets routed to the primary subnet (X1).  Browse to Network -> Routing.  Under Route Policies Click Add… Source is going to be Any, Destination is going to be the new Address Object: X1 Second Subnet, Service: Any, Gateway:, Interface: X1, Metric: 10.  Like so:

Now with any NAT polices all you have to do is select an IP in the X1 Second Subnet to be translated to a LAN IP and the SonicWALL will know to route it through X1.