Customize the Default 255.255.255.0 PPPoE Subnet Mask to Avoid IP Spoof

03/26/2020 20 People found this article helpful 486,563 Views

Description

SonicOS supports PPPoE WAN Connectivity. The Point-to-Point Protocol (PPP), when used over Ethernet (PPPoE), is a common choice for DSL providers . Most often, customers are acquiring a dynamic, public IP address when connecting to the provider. The SonicWall firewall has its WAN port connected to a DSL modem. SonicOS uses an artificial value of 255.255.255.0 by default. In most cases, no adjustments need to be made to this subnet mask. But this article shows you how you can change it if needed.

The PPP protocol is unusual and subnet masks are actually irrelevant to the host's IP settings. That is why the typical display of a PPP adapter connected in Windows will show a subnet mask of 255.255.255.255, and even the gateway IP is usually set to the same value as the acquired IP address. SonicOS can use this same 'slash 32' subnet mask - 255.255.255.255 - or other values like 255.255.255.240. In some cases, when the customer has multiple WAN connections, a customer may need to change this.

In an example setup, the PPPoE DSL provider is connected to SonicWall firewall's X1 interface, and gives a customer a dynamic IP address 67.118.188.190 (and SonicOS uses 255.255.255.0 by default). Also, the firewall has a second WAN connected on X2, using a static IP of 49.49.49.2 w/ a gateway router of 49.49.49.1. Now, with this multiple WAN scenario, the customer sometimes needs to access a server whose IP address is in the same public range as the PPPoE (e.g., 67.118.188.233).

If the customer has traffic going out their X2 WAN trying to reach the 67.118.188.233 server, it will fail, and SonicOS will log the attempt as an IP Spoof alert. This is because SonicOS has a directly-connected route statement for the entire subnet 67.118.188.0 / 255.255.255.0 (slash 24 network), tied to the X1 interface. This route tells the SonicWall firewall to expect traffic only on that interface and not to allow it on others. This kind of strict enforcement of IP subnet locations is central to the security functions of most firewalls. It is simple to solve using the method below.

Resolution

Here's how to customize the default 255.255.255.0 PPPoE Subnet mask in SonicOS Enhanced to avoid IP Spoof alerts:

Log into the SonicWall firewall's web management UI and you will see this in the address bar:

http(s)://[IP-address]/main.html

3. Once you are in the diag page, click the “Internal Settings” button, then scroll down until you find the PPPoE Settings section.

The PPPoE Client Subnet Mask on the SonicWall will work fine when we change the PPPoE net mask on the diag.html from “255.255.255.0” to “255.255.255.255” (which is the same as the subnet mask provided by the PPPoE Server when a PC is directly connected to Modem).

4. After changing the subnet mask, disconnect the PPPoE connection from the SNWL and connect it again. The subnet mask will take effect on that new connection.
Related Articles
Categories
- Firewalls > NSa Series > Networking
- Firewalls > TZ Series > Networking
- Firewalls > NSv Series > Networking
Not Finding Your Answers?
ASK THE COMMUNITY