4

My internet provider is having a lot of trouble with excessive ARP requests coming from a sonicwall TZ-210. I need to tell the sonicwall not to send so many or to send no ARP requests at all from the WAN interface. Does anyone know if this is possible?

So far, it is not looking hopeful. I can't seem to find any options in the web interface to do this.

Any thoughts?

Thanks,

Isaac

IsaacB
  • 335
  • 1
  • 5
  • 12

3 Answers3

4

I've been stamping these out nationwide, one by one. I've finally found the exact CAUSE of the issue! Yesterday I sat in on a conference call with an IT Tech and SonicWALL. We opened a case and started troubleshooting. We went to the NAT Policies, there is a default Policy on older firmware models called "WAN PRIMARY SUBNET" you want to edit this policy to say "WAN PRIMARY IP" that's it!

SonicWALL is making a change in their next firmware to fix this BUG

Mike Strout
  • 191
  • 3
2

I ran into this exact same problem today. Sonicwalls want to handle all of the ARP requests for the wan. I spoke with someone from Sonicwall support today and they told me it was working as designed. Looking from the ISP side, the sonicwall was answering arp requests for every single IP on the subnet that the WAN port was on. Basically the arp table shows that every IP is in use. When you put more than one customer on the same Subnet this becomes a huge problem. I moved the customer to their own small block of ips (5 usable) and I saw 5 arp entries for the sonicwall. The support rep kept asking me "how many ip's are you providing them in your contract". I basically told him it was none of his business and that we were only providing the sonicwall with 1 ip. Apparently they listen for other arp traffic and back off when someone else tries to use one of the IP's.

Long story short, Sonicwalls SUCK.

Ryad
  • 21
  • 1
1

Here is a very good explanation which may help - http://www.watchguard.com/infocenter/editorial/135324.asp.

You might look into your SonicWall to see if you can manually populate its WAN interface ARP table. If so, unless you knowing communicate with another ISP customer/subscriber on the same ISP LAN, then a single entry to the upstream gateway should be all that your WAN interface needs.

user48838
  • 7,393
  • 2
  • 17
  • 14
  • Agreed. The firewall shouldn't be ARP'ing at all on the WAN interface except for the upstream node. If it's ARP'ing for internal addresses or anything other than the upstream node on the WAN interface then something's not right. – joeqwerty Jul 15 '11 at 19:00
  • I guess it's the networks design that allows this. You guys are saying normally there's only one thing that a firewall will try to arp, and that's the gateway address. But in this network its trying to arp all of the other isp's customers. It's some kind of wireless network out in the country. – IsaacB Jul 15 '11 at 19:09
  • Looks like there is only 127 fake MACS to put in the ARP table. I should count myself lucky. – IsaacB Jul 15 '11 at 19:18
  • Right. Normally on the WAN interface it should only ARP for the upstream node that is it's DG. The only reason it would ARP for other hosts on the WAN interface is if it needs to send traffic to or respond to another host on the same subnet as the WAN interface, which should never be the case. If it is, there's some kind of funky configuration upstream, such as all of the customers connections being aggregated together (via a switch or WAP) so they're all on the same layer 2 device, layer 3 subnet, and broadcast domain. – joeqwerty Jul 15 '11 at 19:21
  • I sure consider it amazing that after all these years I never ran into a networking problem below the IP stack. I didn't even know what ARP did. I just knew it existed. – IsaacB Jul 15 '11 at 19:23
  • That is amazing, and a bit of good luck as well... – joeqwerty Jul 15 '11 at 19:28
  • thanks for your help joe. I guess next time before I plug in a powerful firewall/router into some backwoods ISP I will ask them beforehand if they can handle all the ARP traffic. All those low end routers for home must not bother to arp anything other than the gateway just by their design. Thanks for helping me to learn something new! – IsaacB Jul 15 '11 at 19:35
  • Glad to help... – joeqwerty Jul 15 '11 at 19:40
  • "It's some kind of wireless network out in the country." If it's 802.11-based, then it's probably not even any of the subscribers doing this, but possibly other folks trying to break into their network. – user48838 Jul 15 '11 at 19:55
  • @user48838: wouldn't the intruder need to have an ip address in the same subnet as the firewall WAN interface in order to cause the firewall to ARP for ip addresses in the same subnet as the WAN interface? How would they acquire these ip addresses? – joeqwerty Jul 15 '11 at 20:29
  • You're right, probably just flooding the network at worse. – user48838 Jul 16 '11 at 01:52