SONICOS Using the ‘opt.

zone’/’OPT’/’X2’/’DMZ’ interface on SonicWALL Security Appliances running SonicOS

Introduction
This document will explain what the ‘opt. zone’/’OPT’/’X2’/’DMZ’ interface is on a SonicWALL security appliance and what
it can be used for. The interface is labeled differently across the product lines, both on the device and in the Management
GUI, but despite the naming differences they have the exact same functionality. Depending on the model and version of
SonicOS, this interface may be referred to as “opt.zone”, or “OPT”, or “X2” or “DMZ”, throughout the Management GUI.
This is admittedly a little confusing, so for the purposes of this document we’ll be referring to it as the OPT interface in all
examples to minimize confusion.

Product Overview
Products that don’t have an OPT interface: TZ 50, TZ 50W, TZ 150, TZ 150W

Products that do have an OPT interface: TZ 170, PRO 1260, PRO 2040, PRO 3060

Products that do have an OPT interface but need to run SonicOS Enhanced before it is active: TZ 170SP, TZ 170W, TZ
170SPW (SonicOS Standard can support only three interfaces, and these devices already have a modem and/or wireless
device in them acting as the third interface.)

The PRO 4060, PRO 4100, and PRO 5060 all run SonicOS Enhanced by default and have multiple user-configurable
interfaces.

Recommended Versions
ƒ SonicOS Standard 3.1.0.11 or newer
ƒ SonicOS Enhanced 3.1.0.8 or newer

Due to an issue with switching between NAT Mode and Transparent Mode in versions of SonicOS Standard 3.1.0.8 and
older, SonicWALL recommends upgrading to SonicOS 3.1.0.11 or newer, as the issue is resolved in this release version.

Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the
MySonicWALL customer portal at https://www.mysonicwall.com. Updated firmware is also freely available to customers
who have registered the SonicWALL device on MySonicWALL for the first 90 days.

What is the OPT interface?

As noted, despite the different naming conventions this interface is essentially an optional security interface wholly
separate from the LAN and WAN interfaces. It can serve a number of uses depending upon the version of SonicOS the
security appliance is running. All traffic passing from the OPT to LAN, LAN to OPT, OPT to WAN, and WAN to OPT is
subject to inspection by Firewall Access Rules and by Deep Packet Inspection security services.

What does OPT stand for?

“Opt. zone” stands for optional zone, “OPT” stands for optional, “X2” refers to the interface naming conventions on the
PRO series and denotes that it is the third interface (numbering starts at zero), and “DMZ” stands for Demilitarized Zone,
which is a common naming convention in the security industry for an interface or zone with a level of access security
between the WAN and LAN interfaces.
Can I ping the OPT interface’s IP address?
It’s possible if the security appliance is running SonicOS Enhanced (and the interface has been configured to allow
‘Ping’). It’s not possible to in SonicOS Standard, however (and no, creating a firewall rule to allow ‘Ping’ to the interface’s
IP address will not make it work).

Can I access the management GUI via the OPT interface’s IP address?
This is possible if the security appliance is running SonicOS Enhanced, and the interface has been set to allow ‘HTTP/S
Management’. It’s not possible to in SonicOS Standard, however (and no, you cannot create a firewall rule to allow
‘HTTP/S Management’ to make it work).

Should systems on the OPT interface use the OPT interface’s IP address as the gateway?
Yes, if the OPT interface is in NAT Mode. If it’s in Transparent Mode, the OPT interface does not have an address of its
own, and you will need to use the upstream router’s IP address as the gateway (do *NOT* use the SonicWALL’s WAN IP
address as the gateway).

Can I create a DHCP Scope for the OPT interface?

Yes, if the interface is configured for NAT Mode. Log into the SonicWALL using the management GUI and go to the
‘Network > DHCP Server’ page. Click on the ‘Add Dynamic’ button. On the page that appears, define the range of IP
addresses from the IP subnet attached to the OPT interface, set the desired lease time, and click on the OK button to
save and activate the changes. For an example see Figure 1 below. NOTE: by default this scope will send along the
inherited DNS settings of the SonicWALL; should you wish to override this just click on the ‘DNS/WINS’ tab and enter the
desired DNS and WINS servers you wish to use. If you are using DNS and WINS servers on the LAN interface, you will
need to write firewall rules to allow this, as by default all traffic from the OPT interface to the LAN interface is denied.

Figure 1 – Creating a DHCP scope for systems on the OPT interface

Can I attach a hub or switch to the OPT interface?

Yes, in fact this is recommended. When attaching a hub or switch to an interface on a SonicWALL security appliance, it’s
recommended to lock the speed and duplex on both sides to matching settings before plugging the devices into each
other, given that auto-configuration sometimes results in mismatched duplex settings that can greatly interfere with
connectivity.

2
My SonicWALL security appliance has a 10-user license – does this also apply to systems on the OPT interface?
Yes, the Node License Manager will track systems both on the LAN and the OPT interface. The Node License Manager
tracks systems by IP address – a single NIC with X number of IPs bound to a single MAC address will take up X number
of licenses. To see which systems are currently using node licenses, what interface those systems reside on, and to
create node license exclusions for systems you do not wish to utilize a license, log into the security appliance via the
management GUI and go to the ‘System > Licenses’ page. Node upgrade licenses can be purchased online at
https://www.mysonicwall.com using your MySonicWALL account, or from your SonicWALL sales representative.

How do I configure the OPT interface in SonicOS Standard?

The OPT interface can be configured for two different modes when the security appliance is running SonicOS Standard –
‘OPT in Transparent Mode’, which means that the interface operates in a secure-bridge mode with the WAN interface,
and ‘OPT in NAT Mode’, which means that the interface operates as a wholly separate interface and has its own unique
IP subnet separate from the WAN and LAN interfaces. In this section, we’ll cover how to configure both modes, and also
discuss how to allow access to systems on the OPT interface from Global VPN (GVC) and site-to-site VPN connections.

Using OPT in Transparent Mode – NOTE: If you will be using the OPT port in Transparent Mode, the WAN interface must
have a static IP address; other addressing methods such as DHCP or PPPoE cannot be used. Log into the SonicWALL
using the management GUI and go to the ‘Network > Settings’ page. Click on the ‘Configure’ icon next to the OPT
interface. On the page that appears, select the radio button next to ‘OPT in Transparent Mode’. Then, click on the ‘Add…’
button below this. Enter in the public IP address(es) that you wish to assign to the system(s) that will be on the OPT
interface. These IP addresses should be from the same subnet as the WAN IP interface of the SonicWALL. In Figure 4 on
the next page, the SonicWALL has a server on the OPT port using the IP address 207.88.91.90; the WAN IP of the
SonicWALL is 207.88.91.83, and the upstream gateway for both is 207.88.91.65. When done, click on the ‘OK’ button to
save and activate the change.

Figure 2 – Setting the OPT interface to Transparent Mode

3
You can now attach the server to the OPT interface, either directly or using a hub/switch. Remember to configure the
server’s IP addressing so that it uses the IP address you just entered in the step above, set it to use the same upstream
gateway as the SonicWALL (do NOT set it to use the SonicWALL’s WAN IP address as its gateway, set the correct
subnet mask, and the correct DNS server (if you wish to use a DNS server on your LAN, you will need to create a firewall
rule allowing this, as access from OPT to LAN is denied by default). When this is done, test the system’s public Internet
access by launching a web browser and accessing http://www.whatismyip.com. It should list the IP address you just
configured the server and the OPT interface for. If not, check the steps above and try again.

If the system needs to be accessed by systems out on the public Internet, you will need to write firewall rules to allow this.
For example, if this system is a webserver, just go to the ‘Firewall > Access Rules’ page and click on the ‘Add…’ button.
For an example on how to configure it, see Figure 3 below (just replace the IP address shown with your server’s IP
address). When done, click on the ‘OK’ button to save and activate the change. To test, attempt to access the server via
this IP address on the allowed port from another system connected to the public Internet.

Figure 3 – Creating a Firewall rule to allow WWW access to the server on the OPT port

4
Using OPT in NAT Mode - Log into the SonicWALL using the management GUI and go to the ‘Network > Settings’ page.
Click on the ‘Configure’ icon next to the OPT interface. On the page that appears, select the radio button next to ‘OPT in
NAT Mode’. In the field next to ‘OPT Private Address:’ enter the private IP address you wish to assign to the OPT
interface -- this will be the gateway address for all systems attached to this interface. In the field next to ‘OPT Subnet
mask:’, enter in the subnet mask for the OPT interface’s subnet. The third entry field is optional, and only used when you
want all systems on the OPT interface to use a public IP address other than the WAN IP address of the SonicWALL when
accessing the public internet; this is a rarely-used field, but to use it, simply enter in an unused public IP address from the
same subnet of the SonicWALL’s WAN interface. If you are unsure about what this is, or do not have one, leave this field
as-is. When done, click on the ‘OK’ button to save and activate the changes. For an example, see Figure 4.

Figure 4 – Setting the OPT Interface to NAT Mode

Now, create a DHCP scope for this interface. Instructions on how to do this can be found on page two of this whitepaper.

To test, attach a system to the OPT interface, either directly or using a hub/switch, and set the system to obtain its IP
addressing information via DHCP. When this is done, test the system’s public Internet access by launching a web browser
and accessing http://www.whatismyip.com. It should list the IP address you just configured the server and the OPT
interface for. If not, check the steps above and try again.

5
If you have a server on the OPT interface that needs its own public IP address for access, you’ll need to create a One-to-
ONE NAT mapping. To do this, go to the ‘Network > One-to-One NAT’ page’. Check the box next to ‘Enable One-to-One
NAT’ and click on the ‘Apply’ button in the upper-right-hand corner to save and activate the change. Then, click on the
‘Add…’ button. On the page that appears, enter the server’s private IP address into the field next to ‘Private Range Start:’,
enter the public IP address that everyone will use to access this server with in the field next to ‘’Public Range Start:’, and
enter “1” into the field next to ‘Range Length’. When done, click on the ‘OK’ button to save and activate the change. For
an example, see Figure 5 below.

Figure 5 – Creating a One-to-One NAT Mapping for a system on the OPT interface

If the system needs to be accessed by systems out on the public Internet, you will need to write firewall rules to allow this.
For example, if this system is a webserver, just go to the ‘Firewall > Access Rules’ page and click on the ‘Add…’ button.
For an example on how to configure it, see Figure 6 below (just replace the IP address shown with your server’s IP
address). When done, click on the ‘OK’ button to save and activate the change. To test, attempt to access the server via
this IP address on the allowed port from another system connected to the public Internet.

Figure 6 - Creating a Firewall rule to allow WWW access to the server on the OPT port

6
Please note that is not necessary to use one-to-one NAT if you have servers that need to be reached from the public
Internet; servers can be reached using the SonicWALL’s WAN IP address by writing the appropriate firewall rule.

Using OPT with VPNs – To allow GVC users to access systems on the OPT interface, log into the security appliance’s
management GUI. Go to the ‘VPN > Settings’ page and click on the ‘Configure’ icon next to ‘GroupVPN’. When the pop-
up page appears, click on the ‘Advanced’ tab. Under the ‘VPN Terminated at:’ section, select the radio button next to
‘LAN/OPT’ (see Figure 7 below for example). When done, click on the ‘OK’ button to save and activate the change. All
GVC users, upon subsequent connections, will be able to securely access the systems on the OPT interface.

Figure 7 – Allowing GVC users access to systems on OPT interface

7
To allow a new or existing site-to-site VPN policy to allow access to/from systems on the OPT interface, log into the
security appliance’s management GUI and go to the ‘VPN > Settings’ screen. Click on the ‘Configure’ icon next to the
policy you wish to modify. . When the pop-up page appears, click on the ‘Advanced’ tab. Under the ‘VPN Terminated at:’
section, select the radio button next to ‘LAN/OPT’ (see Figure 8 below for example). When done, click on the ‘OK’ button
to save and activate the change.

Figure 8 – Allowing site-to-site VPNs access to systems to/from OPT interface

8
You will also need to modify the peer’s VPN setup to add the OPT interface’s IP subnet. For example, if the other side of
the VPN policy is a SonicWALL running SonicOS Standard, modify the corresponding policy by clicking on the ‘Configure’
icon next to it. When the pop-up appears, click on the ‘Add…’ button under ‘Destination Networks:’ and add your side’s
OPT interface IP subnet and mask. When done, click on the ‘OK’ button to add the network, and then click on the ‘OK’
button to save and activate the change. See Figure 9 below for an example.

Figure 9 – Adding the OPT interface network to the remote side VPN setup

Is there any limit to the amount of systems I can put behind the OPT interface if it’s in Transparent Mode?
If the SonicWALL is licensed for unlimited nodes, then no, there is no functional limitation to the number of systems, other
than the capacity of the device itself.

Is there any limit to the amount of systems I can put behind the OPT interface if it’s in NAT Mode?
If the SonicWALL is licensed for unlimited nodes, then no, there is no functional limitation to the number of systems, other
than the capacity of the device itself. However, there is a limit of 64 One-to-One NAT mappings that can be created. One-
to-one mappings can be single/individual mappings or ranges of up to 254 IP internal addresses each.

How does the OPT interface work if the security appliance is running SonicOS Enhanced?
If the security appliance is running SonicOS Enhanced, the OPT interface can be bound to any zone – which means it can
be used for any number of purposes.

ƒ You can bind it to the LAN zone if you’ve run out of addressing space on your primary LAN interface and don’t
want to renumber everything (quick expansion).
ƒ You can assign it to the WAN zone as the secondary WAN interface (for active/passive or active/active WAN
load-balancing and failover).
ƒ You can assign it to the DMZ or a custom zone, in NAT mode (to separate systems from the internal LAN zone)
ƒ You can assign it to the WLAN zone and add SonicWALL SonicPoints to provide secure wireless coverage for
your network (even on TZ 170s).
ƒ You can assign it to the LAN, DMZ or custom zone, in Transparent Mode (to protect systems with public IP
addresses).
ƒ You can create a custom ‘SSLVPN’ zone, in NAT mode, and install SonicWALL’s SSL-VPN 2000 appliance to
add SSL-VPN capability to your existing network.

For full instructions on how to configure your SonicWALL security appliance for these different modes, please refer to the
‘SonicOS Enhanced 3.1 Administrators Guide’, which can be found here:
http://www.sonicwall.com/downloads/SonicOS_Enhanced_3.1_Administrators_Guide.pdf

9
I have systems on the OPT interface and the LAN interface and I can’t see them in the Network Neighborhood – I
have firewall rules allowing them access to each other but they still don’t show up – why?
Some Microsoft networking environments rely heavily on NetBIOS broadcasts to advertise and locate network resources
(servers, print devices, etc). On a local LAN segment, this works fine, as broadcasts are propagated to every node on the
local segment. When the network segments are separated this mechanism fails, since firewalls generally are not
configured to forward broadcasts to remote segments. And, since people tend to access Microsoft network resources by a
friendly name instead of IP address, they’re accustomed to finding these resources by clicking on the ‘Network
Neighborhood’ or ‘My Network Places’ desktop icons, or by a mapped drive to the resources.

By default, SonicWALL devices are configured to not pass Microsoft NetBIOS broadcasts across interfaces. Below, we
will detail how to configure the SonicWALL to pass these broadcasts across the interfaces, for each firmware type. Please
note this will increase traffic across the interfaces most environments. In larger environments it may lead to a substantial
increase in traffic, and because of this is not recommended. Instead, it is recommended that the Microsoft networking
environment be correctly configured using Active Directory and/or WINS services, which are components of Microsoft’s
Windows 2003 Server.

NOTE: Correct use of AD and/or WINS will minimize issues when attempting to access Microsoft network resources
across interfaces. Please refer to http://support.microsoft.com/default.aspx?scid=kb;en-us;160177 for a more detailed
discussion of this topic.

NOTE: The examples below assume you have created firewall rules to allow systems to communicate with one another
bidirectionally. If you have not done so, do this first before continuing.

Configuring the SonicOS Standard to pass NetBIOS broadcasts:

1. Before beginning, install SonicOS Standard 3.1.0.11 or newer.

2. Log into the SonicWALL’s management GUI and go to the ‘Firewall > Advanced’ page.
3. Select the checkboxes next to ‘From LAN to DMZ’ and ‘From DMZ to LAN’.
4. When done, click on the ‘Apply’ button in the upper-right-hand corner to save and activate the change.
5. See Figure 10 below for an example.

Figure 10 – Allowing NetBIOS pass through from DMZ-to-LAN and LAN-to-DMZ

10
Configuring the SonicOS Enhanced to pass NetBIOS broadcasts:

1. Before beginning, install SonicOS Enhanced 3.1.0.8 or newer.

2. Log into the SonicWALL’s management GUI and go to the ‘Network > IP Helper page.
3. Check the boxes next to ‘Enable IP Helper’ and ‘Enable NetBIOS Support’
4. Click on the ‘Apply’ button in the upper-right-hand corner to save and activate the change.
5. Click on the ‘Add’ button under ‘IP Helper Policies’ and create an NetBIOS entry for ‘LAN Subnets’ to ‘DMZ
Subnets’ (or whatever subnets you wish to pass between).
6. Now create an entry for the opposite direction - click on the ‘Add’ button under ‘IP Helper Policies’ and create an
NetBIOS entry for ‘DMZ Subnets’ to ‘LAN Subnets’ (or whatever subnets you wish to pass between).
7. See Figure 11 below for an example.

Figure 11 – Allowing NetBIOS pass through using IP Helper

Created: 09/23/2005
Updated: 11/03/2005
Version 1.1

11