locked
Help with SonicWall TZ180 Wireless Firewall/Router and WHS RRS feed

  • Question

  • I have a SonicWall TZ 180 Wireless Router.  I have installed WHS on my system and had to manually open ports to get it to work.  It seems to works fine on the LAN, but I cannot get a connection to clients on the WLAN.  I guess I need to open the same ports.  My question is: what do I put as my destination and source in the firewall rules.  Is it LAN/WLAN or WLAN/LAN or something else?  Do I open up the same ports as what MS recommends.  I am almost there - any help from anyone would be appreciated.  Thanks,  FF

    Tuesday, January 29, 2008 4:37 AM

Answers

  • I finally solved my problem with the SonicWall TZ 180 wireless router.  The problem boils down to the TZ 180 separates the WLAN from the LAN and thereby operates them as two separate networks with different subnets.  Apparently, SonicWall erroneously assumes its users only provide wireless access to guests and do not have an interest in creating a truly wireless network.  (They should put a warning label on the box of this; many users on the SonicWall user community found this out the hard way.)

     

    To overcome this without trashing the router and going with a less secure solution I did the following:

     

    (1)   Turned off the wireless radio in the TZ 180.

    (2)   Bought a wireless access point (AP) (not a router, an access point).  Netgear makes a good one.  Make sure it supports WPA2.  (The presumption is that you bought SonicWall for its security features and you don’t want to compromise that.)

    (3)   Hook up and install the AP into a LAN port.

    (4)   Problem solved.  Your LAN network applications will run on your wireless network because the AP is on the same subnet as the LAN.

    (5)   Note: This applies for any appliance that has the same problem as SonicWall.  For SonicWall and Windows Home Server users, you will have to disable the SonicWall AV client and open up the applicable ports on the SonicWall appliance.  This is under the “Firewall” section of the management interface and the port definitions are found in the WHS documentation or on the WHS web site.

     

    Through this solution you are circumventing some of SonicWall wireless intrusion prevention / detection features, but security is worthless if you can’t use the tool.  I would buy the non-wireless version of the TZ 180 (cheaper) and configure as described above.  I like the UTM features of SonicWall.

     

    Thanks to everyone who contributed to the dialogue.  Thank you Chris. 

     

    Now on to my next WHS problem.

     

    FF

    Wednesday, March 12, 2008 2:18 AM

All replies

  • Is the wireless LAN using a different subnet? MS only supports WHS + clients on the same subnet.

     

    If they are on different subnets, you might get away with adding an LMHOSTS entry for your servername on the wireless clients.

     

    Tuesday, January 29, 2008 5:06 AM
    Moderator
  • Sam,

     

    I am afraid I don't know the answer to that.  I have a WAN, a LAN, and a WLAN, all with different IP addresses,  In using LMHOSTS for my servername, does that mean I have to rename my server or does that mean when I use the Connector  on my wireless clients,  I use LMHOSTS instead of HPSERVER?  Thanks,  FF

     

    Wednesday, January 30, 2008 2:49 AM
  • Unfortunately, WHS doesn't come with a disclaimer saying that networking can be a real pain Smile

     

    So, network addresses (192.168.x.x, for example) are broken up into blocks called subnets. Stuff in the same subnet as you is considered local by your computer - WHS expects all your clients to be local.

     

    To check if they're in different subnets, do the following on the WHS, a LAN client, and a WLAN client:

     

    1) Click start --> run --> type "cmd" without the quotes. click ok

    2) type "ipconfig /all" without quotes and hit enter

    3) copy the IP address, subnet mask, default gateway and DNS servers

    4) Post the results here

     

    LMHOSTS is a file on your computer that you can use to get around name resolution issues (i.e. turning HPSERVER into an actual IP address). Don't worry about that for now.

     

    Wednesday, January 30, 2008 2:55 AM
    Moderator
  • LAN CLIENT

     

    Windows IP Configuration

     

            Host Name . . . . . . . . . . . . :

            Primary Dns Suffix  . . . . . . . :

            Node Type . . . . . . . . . . . . : Hybrid

            IP Routing Enabled. . . . . . . . : No

            WINS Proxy Enabled. . . . . . . . : No

     

    Ethernet adapter Local Area Connection:

     

            Connection-specific DNS Suffix  . :

            Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti

    on

            Physical Address. . . . . . . . . :

            Dhcp Enabled. . . . . . . . . . . : Yes

            Autoconfiguration Enabled . . . . : Yes

            IP Address. . . . . . . . . . . . : 192.168.168.62

            Subnet Mask . . . . . . . . . . . : 255.255.255.0

            Default Gateway . . . . . . . . . : 192.168.168.168

            DHCP Server . . . . . . . . . . . : 192.168.168.168

            DNS Servers . . . . . . . . . . . : 68.105.28.11

                                                68.105.29.11

          68.105.28.12

     

    WLAN CLIENT

     

    Node Type . . . . . . . . . . . . : Hybrid

            IP Routing Enabled. . . . . . . . : No

            WINS Proxy Enabled. . . . . . . . : No

                  

            Dhcp Enabled. . . . . . . . . . . : Yes

            Autoconfiguration Enabled . . . . : Yes

            IP Address. . . . . . . . . . . . : 172.16.31.233

            Subnet Mask . . . . . . . . . . . : 255.255.255.0

            Default Gateway . . . . . . . . . : 172.16.31.1

            DHCP Server . . . . . . . . . . . : 172.16.31.1

            DNS Servers . . . . . . . . . . . : 68.105.28.11

                                                68.105.29.11

                                                68.105.28.12

     

    WHS IP ADDRESS:  192.168.168.110

     

    I could not do the run command for WHS.  All I get is web browser.
    Wednesday, January 30, 2008 4:37 AM
  • Yes, your WLAN clients are on a different subnet.

     

    You can log into your WHS using remote desktop. From a client, click start --> run --> type "msconfig" and click ok, then enter the server name and click connect (Administrator is the username, and then use your WHS console password).

     

    From a WLAN client

    1) client start --> run --> type "cmd"

    2) type "ping hpserver" and hit enter

    3) Do you get 4 successful responses?

    4) type "ping 192.168.168.110" and hit enter

    5) Do you get 4 successful responses?

    Wednesday, January 30, 2008 5:10 AM
    Moderator
  •  FantasticF wrote:

    LAN CLIENT

     

    Windows IP Configuration

     

            Host Name . . . . . . . . . . . . :

            Primary Dns Suffix  . . . . . . . :

            Node Type . . . . . . . . . . . . : Hybrid

            IP Routing Enabled. . . . . . . . : No

            WINS Proxy Enabled. . . . . . . . : No

     

    Ethernet adapter Local Area Connection:

     

            Connection-specific DNS Suffix  . :

            Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti

    on

            Physical Address. . . . . . . . . :

            Dhcp Enabled. . . . . . . . . . . : Yes

            Autoconfiguration Enabled . . . . : Yes

            IP Address. . . . . . . . . . . . : 192.168.168.62

            Subnet Mask . . . . . . . . . . . : 255.255.255.0

            Default Gateway . . . . . . . . . : 192.168.168.168

            DHCP Server . . . . . . . . . . . : 192.168.168.168

            DNS Servers . . . . . . . . . . . : 68.105.28.11

                                                68.105.29.11

          68.105.28.12

     

    WLAN CLIENT

     

    Node Type . . . . . . . . . . . . : Hybrid

            IP Routing Enabled. . . . . . . . : No

            WINS Proxy Enabled. . . . . . . . : No

                  

            Dhcp Enabled. . . . . . . . . . . : Yes

            Autoconfiguration Enabled . . . . : Yes

            IP Address. . . . . . . . . . . . : 172.16.31.233

            Subnet Mask . . . . . . . . . . . : 255.255.255.0

            Default Gateway . . . . . . . . . : 172.16.31.1

            DHCP Server . . . . . . . . . . . : 172.16.31.1

            DNS Servers . . . . . . . . . . . : 68.105.28.11

                                                68.105.29.11

                                                68.105.28.12

     

    WHS IP ADDRESS:  192.168.168.110

     

    I could not do the run command for WHS.  All I get is web browser.




    A few things, first do what the above post says and see if it is hitable.

    Second add the WHS box to the hosts file because it looks like your using external DNS and it might have issues resolving it.

    Third, can you bridge the networks? IE: add another interface?
    Wednesday, January 30, 2008 1:07 PM
  • Hi,

     

    I am on XP and all  get when I run msconfig is system configuration utility window for the lan client.  Is there another step to get into server?

     

    I previously tried to ping my server from the wlan client and I was not successful.  I will try it again tonight, when I get back from work.

     

    Thanks for your help.

     

    Wednesday, January 30, 2008 2:38 PM
  • Hi,

     

    I am sorry, I am learning here.  How do I add the WHS box to the hosts file?  I did have a problem with my DNS and Sonicwall.  It was apparently solved by a firmware update.  I will check whether I can bridge the network by looking at my sonicwall documentation and/or call (SonicWall) India and spend a few hours on the phone .  It will take some time.  Thanks for your patience.  FF

     

    Wednesday, January 30, 2008 2:47 PM
  •  FantasticF wrote:

    Hi,

     

    I am sorry, I am learning here.  How do I add the WHS box to the hosts file?  I did have a problem with my DNS and Sonicwall.  It was apparently solved by a firmware update.  I will check whether I can bridge the network by looking at my sonicwall documentation and/or call (SonicWall) India and spend a few hours on the phone .  It will take some time.  Thanks for your patience.  FF

     



    browse to:

    c:\windows\system32\dirvers\etc\hosts

    Open it with note pad.

    Then add:

    192.168.168.110     hostname_for_windows_home_server


    Save and close.

    Now do:

    Start | Run

    cmd {enter}

    ipconfig /flushdns


    Give the connector a shot...
    Wednesday, January 30, 2008 3:46 PM
  • Hi,

     

    I spoke to SonicWall and they said their WLAN is not on the same Subnet as their LAN by design.  The way to get around this is to use a VPN on the guest services portion of the WLAN.  Their VPN allows you to hook into the LAN on the same subnet.  Once I accomplish this successfully, I will post the solution for all to see.  Thanks for all of your help.  FF

     

    Monday, February 4, 2008 1:51 AM
  • Like I said in a previous posting, SonicWall puts its wireless  on a separate subnet from the LAN.  WHS only runs on one subnet,so unless I hook everybody on the wired LAN, I am SOL.  I have three options that I am exploring that I would like someone's help on one of them:

    (1) Link my wireless clients through a VPN (which the SonicWall does) and link the VPN to the LAN.  This is a little complex and it relies upon my users to run the VPN.

    (2) Turn of the WLAN on the SonicWall and hook up an alternative wireless router through the LAN.  Then operate on the alternative wireless router's subnet.  I keep SonicWall's security features through the LAN.

    (3) Run the WHS and all of its clients on the WLAN only.

     

    My question is on #3.  Can I run the WHS solely on the Sonicwall WLAN.  If so, is there anything special I need to do?  This assumes that WHS will identify the LAN link through its USB port.  Presumably, I would run a USB Wireless card to connect the WHS with the SonicWall WLAN.   Is this idea too farfetched?

     

    Your help is appreciated.

     

    FF

    Thursday, February 14, 2008 2:26 AM
  • OK, lessee here.
    Option 1:  Complex, yes.  But, it'll work.
    Option 2:  Simple, and would work.  But, you'll need to make one change to that plan:  Don't use a wireless router, unless you can configure it to run in AP-Only mode.  Otherwise, you'll run into the same problem that you already have (one part of which is that NetBIOS name resolution doesn't work so well, if at all, across subents.)  Change that device to a simple access point (which just attaches to your existing 'net), and it'll be fine.
    Option 3:  Not a good idea.  For starters, wireless isn't supported on WHS (and, I'm fairly certain that the wireless config services aren't even there.)

     

    My best suggestion is to buy a wireless access point, and go with option 2.

    Friday, February 15, 2008 3:33 AM
  • Thanks Chris.  I'll shop around for an AP.  Regards,  FF

     

    Friday, February 15, 2008 3:58 AM
  • I finally solved my problem with the SonicWall TZ 180 wireless router.  The problem boils down to the TZ 180 separates the WLAN from the LAN and thereby operates them as two separate networks with different subnets.  Apparently, SonicWall erroneously assumes its users only provide wireless access to guests and do not have an interest in creating a truly wireless network.  (They should put a warning label on the box of this; many users on the SonicWall user community found this out the hard way.)

     

    To overcome this without trashing the router and going with a less secure solution I did the following:

     

    (1)   Turned off the wireless radio in the TZ 180.

    (2)   Bought a wireless access point (AP) (not a router, an access point).  Netgear makes a good one.  Make sure it supports WPA2.  (The presumption is that you bought SonicWall for its security features and you don’t want to compromise that.)

    (3)   Hook up and install the AP into a LAN port.

    (4)   Problem solved.  Your LAN network applications will run on your wireless network because the AP is on the same subnet as the LAN.

    (5)   Note: This applies for any appliance that has the same problem as SonicWall.  For SonicWall and Windows Home Server users, you will have to disable the SonicWall AV client and open up the applicable ports on the SonicWall appliance.  This is under the “Firewall” section of the management interface and the port definitions are found in the WHS documentation or on the WHS web site.

     

    Through this solution you are circumventing some of SonicWall wireless intrusion prevention / detection features, but security is worthless if you can’t use the tool.  I would buy the non-wireless version of the TZ 180 (cheaper) and configure as described above.  I like the UTM features of SonicWall.

     

    Thanks to everyone who contributed to the dialogue.  Thank you Chris. 

     

    Now on to my next WHS problem.

     

    FF

    Wednesday, March 12, 2008 2:18 AM
  • a SonicWALL with standard os has by default no firewall rules between WLAN and LAN.

     

    Add such a rule by hand ans it will work

     

    Monday, March 17, 2008 2:45 PM
  • Yep, once you allow WLAN to access LAN in the sonicwall, then all you need to do is modify the home server windows firewall, here are some steps:

    http://sbs.seandaniel.com/2008/11/home-server-with-multiple-subnets.html

    Cheers,
       Sean

    This posting is "AS IS" and confers no rights.
    Wednesday, November 19, 2008 5:03 AM
    Moderator
  • Hello Everyone,

    I stumbled over this thread whilst researching potential issues and recommendations when configuring SonicWALL appliances for Windows Home Server Remote Access.

    We are in the process of creating some wikis with the ultimate goal to have a guide for every popular router and firewall appliance on how to best configure it for WHS remote access.

    We have covered the SonicWALL TZ 210 (SonicOS 5.x) but the steps illustrated are identical for anyone that is using the TZ 180 / TZ 190 (SonicOS 3.x). For example: if you configure IP Helper on the SonicWALL there would be no need to configure any HOST files on the clients. Our wiki also shows how to configure the SonicWALL WLAN to take advantage of the WiFi IDS and security features provided by SonicWALL – basically no need to attach an additional access point/airport.

    If you are still having issues please take a look at our wiki. Please feel free to hit us with any further questions or suggestions.

    http://www.homeserverland.com/wiki/w/whs/sonicwall-tz-210-appliance.aspx

    Hope this helps.

    Regards,

    Alexander Kent

    Wednesday, August 26, 2009 4:59 PM
    Moderator
  • Hi I don't understand wy you turned of the Wireless on the TZ180?

    It can fine run and conect to  WHS (Windows Home Server)onthe LAN. 

    You only have to turn of a feature in the config.  I will guide you this willgive you standard WPA2 security. it will route all trafic from he Wlan to the LAN and VS. 

    Her goes .

    Login to the webinterface of the tz 180w and go to the Wireless TAB.

    Her choose the Settings submenu.

    Now you need to check "OFF" the "SSL-VPN Enforcementf"
    And then turn "ON" "Trust WPA/WPA2 traffic as WiFiSec"

    Now this will force it to behave like a normal Wi/Fi Access point.

    Then there you can go to firewall and sett the ports and stuff you want to open between or have it alll open.. (Default it is in Deny between the WLAN and LAN)
    Now I hope this is an answer and you can now use the Netgear AP to somthing else like a new floor or to widen your access :P maby yust get rid of one more box and cables ...

    Good luck...

    Tuesday, September 1, 2009 6:40 PM
  • Actually, you dont need to do that (buy anything else). It took me a while but I finally got how a sonicwall works, and its genious if you use it for what it was intended for.

     

    Basically this is what you need to do. From a factory boot, you need to setup your wireless access point the way you want (WPA, ect.)

     

    Turn Wireless Guest Services OFF

    Turn WifiSec Enforcement OFF

    Turn Trust WPA as WIFIsec ON

    In firewall enable Netbios to/from WLAN - LAN and vice versa

    And thats pretty much it. I also have my WLAN interface set to 192.168.167.1, and I am printing to a wireless printer from LAN and WLAN and even from my Android phone.

    I have also enabled To/From NetBIOS traffic in firewall rules manually just to make sure. but they might not be necessary.

    Hope this helps.

    Monday, April 5, 2010 5:35 PM
  • To answer some of your concerns regarding the TZ 180:

    All Sonicwall wireless routers seperate Internal LAN access from general Internet access acess into two separate networks to prevent unauthorized access to the internal LAN. This behavior is BY DESIGN (and thankfully so).

    Sonicwall offer access to the internal LAN via the Global VPN Client. This is done for security purposes since available 3DES-168bit (MIL Spec) or AES-256bit VPN encryption of the VPN client is superior to the various wireless security schemes available in most wireless routers. This requirement is a GOOD THING! (the behavior is not due to an erroneous assumptions on Sonicwall's part as you imply).  The TZ 180 also offers Wireless Guest Services (WGS) ... a way for guests in your network to gain access to the Internet without gaiing access to your internal LAN. The LAN and WGS are separated by the Firewall. It appears that WGS is what you are using to attempt to access your LAN ... unsucessfully, of course (by design).

    The solution you have created solves the problem by opening up an less secure wireless access mechanisn into your network. It's a way around the issue, but not a particularly secure one. The other processes outlined below that defeat this security are well intended, but foolish (in my opinion) since they defeat the security design of the Sonicwall. I recommend that you stick with the Sonicwall Global VPN client as your LAN access mechanism.

    Harold Poley, Valueforge Inc.

    Wednesday, April 21, 2010 8:23 PM
  • Neither of the suggested posts by Axachi and Danny Curtean work.

    I had wireless guest services off already

    I turned off WifiSec Enforcement and set to OFF

    I turned on Turn Trust WPA as WIFIsec and to ON

    And added/changed all firewall rules as suggested by both both users...

    I would really like to get this working on my TZ180W. The firmware I'm running is "SonicOS Standard 3.9.1.2-50s"

    My LAN Subnet is: 10.0.8.1

    My WLAN Subnet is: 10.1.8.1

    Thank you for any suggestions!!

    Sunday, December 5, 2010 5:55 PM
  • uhhhhh.... why all the fuss?

     

    create a firewall rule to allow WLAN-->LAN and LAN-->WLAN ... problem solved...

    I've been running sonicwall for a long time... needed WLAN to LAN access so i created the rule... boom it works.

     

    and all the "by design" crap.... geeesh... don't wear your ignorance with such pride!

    if there was not an intent to allow routing between the two sub-nets... why would sonicwall put an automatic routing rule out there?

     

    $0.02

    ... david ...

    NOTE: accomplished this on my TZ 200 wireless-N sonicwall


    Software developer
    • Proposed as answer by David Wasy Thursday, June 9, 2011 1:30 AM
    Thursday, June 9, 2011 1:29 AM
  • I can see that this thread is over 3 years old but I had to respond.  David, your right!

    I am a professional network engineer.  I setup SonicWALL devices frequently for my customers.  "By design" the "out of the box" configuration is 100% correct.  When you are dealing with security, the wireless subnet should be a completely different scope.  This is the BEST way to configure and manage security.  For those that dont like that, there are rules that can be turned on to get the same result.  In newer SonicWALL models you can simply "bridge" the WLAN to the LAN with a few clicks.

    The bottom line is that the person that originally posted this thread had no idea how to use a SonicWALL device.  Rather than calling SonicWALL support or seaching the answer online, he lashes out at the product like it is the fault.  Its like complaining about how your brand new car stopped working and claiming that the manufacture is stupid but all that really happened was that you ran out of gas.  Understanding the product and how to use it is the problem here.  The product works fine if you understand it and use it properly.

    It seems that those posting their comments did exactly what they should have done in the first place.  Get rid of the high-end professional grade product and get a low-end home user product.  The product matches the level of understanding.

    $0.02

     


    Saturday, August 27, 2011 1:13 PM
  • That's not helpful Darryl. At least his 'angry rant' supplied a solution.  In any event, I have the rules in place in what I think is a the correct config. Since you didn't supply any detail on completing your steps, I give you 1 cent, not two. My end goal is to be able to rdp and remote manage pc on the wlan, from my SBS 2011. Since your a 'Professional Network Engineer' could you offer me some assistance? Or will you just call me stupid and waist a paragraph on it? Cause your sooo smart and all. 
    Tuesday, May 15, 2012 9:01 PM
  • Id also like to ask, why did you jump into an answer forum to bust on someone asking  a question? 
    Tuesday, May 15, 2012 9:07 PM