Internet goes down every six hours with Sonicwall NSA 2400 and Verizon FIOS Line

FirewallAlan Sugano

If you have a Sonicwall NSA 2400 or TZ150 (this may effect other Sonicwall models as well) and a Verizon FIOS line, you may find that the Internet goes down every six hours or so and you have to reboot the firewall to restore Internet access.  This can happen if your Sonicwall is configured with more than one external IP address and because of the way FIOS handles it's ARP broadcasts.  Here are the possible workarounds:

 

  1. Configure the Sonicwall with a single static IP address and use NAT Port Service remapping to share a single external IP address and complete the ARP changes in item 3.3 below.
  2. OR
  3. Add in a static route that includes the unused external IP addresses on the firewall.
    1. FIOS IP Block Network Object.  Under Network, Address Objects, create an Address Object range that includes your usable static block, but excludes the IP address of your Sonicwall WAN Interface.
      1. Name:  FIOSStaticIPs
      2. Zone Assignment:  WAN
      3. Type: Range
      4. Starting IP Address: <FIOS IP Block Start Range excluding your WAN IP Address>
      5. Ending IP Address: <FIOS IP Block End Range>
    2. Static Route.  Under Network, Routing, add in a route policy for the network object you just created.
      1. Source: Any
      2. Destination:  FIOSStaticIPs
      3. Service: Any
      4. Gateway: 0.0.0.0
      5. Interface <FIOS WAN Interface usually X1>
      6. Metric: 20
    3. Change the ARP Settings on the Sonicwall.
      1. Go to <ip adress of the sonicwall>/diag.html and click on Internal Settings.
      2. Under the ARP Settings check the following boxes:
        1. Enable ARP bridging
        2. Enable open ARP behavior (WARNING: Insecure!!)
        3. Limit ARPS of non-responsive IPs.

After you add this static route and modify the ARP settings, you should be able to use all of the external IP addresses in your static block and not have the firewall go down every six hours.  Changing these ARP settings on the Sonicwall will make you more vulnerable to an ARP Poisoning attack.  Your static block range must exclude any IP address that are assigned to physical interfaces.  The Internet will go down without the Static route and ARP changes because of the way the FIOS network is built.  The Verizon network sends ARP requests from 0.0.0.0 (an unknown network) and the Sonicwall drops these packets because it thinks it's an ARP cache poisoning attempt.  Because the Sonicwall does not reply to these requests, Verizon FIOS thinks nothing is connected to the static block and drops the connection after six hours.

Tags: Firewall

Get updated on the latest Information Technology news, Cybersecurity, Information Technology Trends, and recent real-world troubleshooting experiences.

SUBSCRIBE NOW!