How to avoid intrusion detection/anti spoofing issue on a sonicwall TZ series FW
- by Ian
We have a sonicwall tz series FW with two internet service providers connected.
One of the providers has a wireless service which works a bit like an ethernet switch in that we have an ip with a /24 subnet and the gateway is .1. All other clients on the same subnet (say 195.222.99.0) have the same .1 gateway - this is important, read on.
Some of our clients are also on the same subnet.
Our config:
X0 : Lan
X1 : 89.90.91.92
X2 : 195.222.99.252/24 (GW 195.222.99.1)
X1 and X2 are not connected, other than both being connected to the public Internet.
Client config:
X1 : 195.222.99.123/24 (GW 195.222.99.1)
What fails, what works:
Traffic 195.222.99.123 (client) <- 89.90.91.92 (X1) : Spoof alert
Traffic 195.222.99.123 (client) <- 195.222.99.252 (X1) : OK - no
spoof alert
I have several clients with IPs in the 195.222.99.0 range and all provoke identical alerts.
This is the alert I see on the FW:
Alert Intrusion Prevention IP spoof dropped 195.222.99.252, 21475, X1 89.90.91.92, 80, X1 MAC address: 00:12:ef:41:75:88
Anti-spoofing is switched off on my FW (network-mac-ip-anti-spoofing - config for each interface) for all ports
I can provoke the alerts by telneting to a port on X1 from the clients.
You can't argue with the logic - this is suspicious traffic. X1 is receiving traffic with a source IP which corresponds to X2s subnet.
Anyone know how can I tell the FW that packets with a src subnet of 195.222.99.0 can legitimately appear on X1?
I know whats going wrong, I've seen the same thing before, but with higher end FWs you can avoid this with a few extra rules. I can't see how to do this here.
And before you ask why we're using this service provider - they give us 3ms (yep 3ms, thats not an error) delay between routers.
