We have a sonicwall tz series FW with two internet service providers connected.

One of the providers has a wireless service which works a bit like an ethernet switch in that we have an ip with a /24 subnet and the gateway is .1. All other clients on the same subnet (say 195.222.99.0) have the same .1 gateway - this is important, read on.

Some of our clients are also on the same subnet.

Our config:

• X0 : Lan
• X1 : 89.90.91.92
• X2 : 195.222.99.252/24 (GW 195.222.99.1)

X1 and X2 are not connected, other than both being connected to the public Internet.

Client config:

• X1 : 195.222.99.123/24 (GW 195.222.99.1)

What fails, what works:

• Traffic 195.222.99.123 (client) <-> 89.90.91.92 (X1) : Spoof alert
• Traffic 195.222.99.123 (client) <-> 195.222.99.252 (X1) : OK - no spoof alert

I have several clients with IPs in the 195.222.99.0 range and all provoke identical alerts.

This is the alert I see on the FW:

Alert   Intrusion Prevention    IP spoof dropped 195.222.99.252, 21475, X1  89.90.91.92, 80, X1 MAC address: 00:12:ef:41:75:88

Anti-spoofing is switched off on my FW (network->mac-ip-anti-spoofing -> config for each interface) for all ports

I can provoke the alerts by telneting to a port on X1 from the clients.

You can't argue with the logic - this is suspicious traffic. X1 is receiving traffic with a source IP which corresponds to X2s subnet.

Anyone know how can I tell the FW that packets with a src subnet of 195.222.99.0 can legitimately appear on X1?

I know whats going wrong, I've seen the same thing before, but with higher end FWs you can avoid this with a few extra rules. I can't see how to do this here. And before you ask why we're using this service provider - they give us 3ms (yep 3ms, thats not an error) delay between routers.