Transparent mode and NAT?

[robbyp]

I have always used my Sonicwall with NAT. However, we recently purchased some new Voice over IP phones and were told to program public IP addresses into the phone. These phones will plug into the network behind the firewall, but will not work with NAT. So they told me the Sonicwall had to be changed to Transparent mode.

I'm not sure what Transparent mode is, but when I did it the firewall appeared to have lost its LAN IP address and I was no longer able to connect to the Internet. Probably because I didn't configure it all the way.

So is there anyone that can tell me the big difference between Transparent mode and NAT? I was able to ping the firewall publicly in Transparent mode which makes me think it's a security risk. Thank you.

 

[Reel]

Read this: http://www.sonicwall.com/servi...s/Transparent_Mode.pdf

I skimmed it briefly and I think transparent mode is basically a way to set up 1:1 IP mapping rather than NAT so if you have 5 computers and 5 public IPs assigned to your connection, you could map each IP through the SonicWall firewall to each computer.

 

[robbyp]

I have about 40 computers on the network. I only want to map 7 VOIP phones and leave the rest of the PC's with DHCP and NAT. Thanks for the link.

 

[Reel]

If I understood transparent mode correctly, it seems like an all or nothing procedure. You would need to either find some mixed mode or put a second NAT router in serial with one of the public IPs.

 

[Eltano1]

I was wondering if TM is not the same as DMZ?

 

[robbyp]

I have the Sonicwall TZ170 and those instructions are not the same. I'm wondering if I can create a DMZ in OPT like it is saying.

 

[robbyp]

I have LAN, WAN, and OPT. I can run OPT in Transparent mode with a public IP, but I don't really know what that does or mean, so I need to find out what OPT even is.

 

[JackMDS]

This is really a very long shot since I am not familiar with the sonicwall and your network, and I am sure the solution is compatible with the VOIP.

SMC makes a little Cable/DSL Router call 7004vbr. It acts like a regular Entry level Router, but can accomodate up to 10 computers on the DMZ provided that each one has it own public external IP.

May be you can use it for the VOIP, and Internet for these computers. Then find a way to bridge them into the LAN for local use. Naturally there are important security issues that must be attended to by using such a solution.

Wait for Spidey or Garion to appear. I think they have experience with this matter.

:sun:

 

[InlineFive]

I'm not real firm on if this would work or not as I have never needed to use this feature of my TZ-170. But here is what I would to do.

1. Update to SonicOS Enhanced so you can make use of the OPT/DMZ port.
2. Connect the VoIP units to the OPT/DMZ port.
3. Specify the OPT/DMZ zone to use a different IP range then the LAN zone.
4. Modify the firewall rules so that the LAN and OPT/DMZ zone cannot communicate with each other.
5. Create another firewall rule allowing all traffic between the WAN zone and the OPT/DMZ zone.
6. Use One-to-One NAT to map WAN IPs to the OPT/DMZ IPs of the VoIP phone units.

Using the OPT/DMZ port is not necessary but then it allows you to keep the VoIP units open to the internet but still protect the LAN. And I'm not sure if step 6 is necessary if your ISP will provide IPs to each VoIP unit if they are open to the WAN zone.

My two cents...