VPN into multiple LAN Subnets
The problem was not that VPN clients could not access the X3
network, any LAN device on the Sonicwall could not access the X3
network. Once a NAT entry was created to properally translate the source/destination of the packets destined for the X3
network everything worked fine. This is also described in a bit more detail in this question: Sonicwall routing between multiple subnets on multiple interfaces
Related videos on Youtube
Rain
Updated on September 18, 2022Comments
-
Rain almost 2 years
I need to figure out a way to allow access to two LAN subnets on a SonicWall NSA 220 through the built-in SonicWall GlobalVPN server. I've Googled and tried everything I can think of, but nothing has worked. The SonicWall NSA management web interface is also very unorganized; I'm probably missing something simple/obvious.
There are two networks, called
Network A
andNetwork B
for simplicity, with two different subnets. A SonicWall NSA 220 is the router/firewall/DHCP Server forNetwork A
, which is plugged into theX2
port. Some other router is the router/firewall/DHCP server forNetwork B
. Both of these networks need to be managed through a VPN connection.I setup the
X3
interface on the SonicWall to have a static IP in theNetwork B
subnet and plugged it in.Network A
andNetwork B
should not be able to access each other, which appears the be the default configuration. I then configured and enabled VPN.The SonicWall currently has the
X1
interface setup with a subnet of192.168.1.0/24
with a DHCP Server enabled, although it is not plugged in. When I VPN into the SonicWall, I get an IP address supplied by the DHCP Server on the X1 interface and I can accessNetwork A
remotely although I do not have access toNetwork B
.How can I allow access to both
Network A
andNetwork B
to VPN clients although keep devices onNetwork B
from accessingNetwork A
and vice-versa.Is there some way to create a VPN-only subnet (something like 10.100.0.0/24) on the SonicWall that can access
Network A
andNetwork B
without changing the current network configuration or allowing devices on both netorks "see" each other? How would I go about setting this up?Diagram of the network: (Hopefully this kind of helps)
WAN1 WAN2 | | [ SonicWall NSA 220 ]-(X3)-----------------[ Router 2 ] | | (X2) 192.168.2.0/24 10.1.1.0/24
Any help would be greatly appriciated!
-
SpacemanSpiff over 11 yearsIs router 2 just a router, or is it also a stateful firewall?
-
Rain over 11 yearsRouter 2 is a stateful firewall, although this shouldn't matter. If I SSH into the SonicWall, I can ping devices on
Network B
. The X3 port on the SonicWall is actually plugged into a switch that Router 2 is also connected to. -
SpacemanSpiff over 11 yearsSure, that's because the Sonicwall has an interface directly in the 2.0/24 network that you can get a direct ARP response from. I'm trying to figure out how to use a dedicated subnet on the Sonicwall just for GlobalVPN clients... you will need to add a static route onto RT2 for that subnet, I just don't see how to create it just yet. I think a new zone, with a loopback interface in that zone would do it.
-
SpacemanSpiff over 11 yearsI wish I could full prove this out for you,but I'm fairly certain the answer to your problem will be under the "DHCP over VPN" configuration section under VPN
-
Rain over 11 yearsI've tried every permutation of settings in the "DHCP over VPN" section. I find it interesting that there is a
VPN
zone pre-configured but it simply shares theLAN
Subnet (onX1
, in this case).Network A
is currently accessible, althoughNetwork B
and even theX3
Interface IP are not. -
SpacemanSpiff over 11 yearsYes, you'd need to add network B as a network object and then give the user's group access to it. Still a little unclear here... might be worth a ticket to sonicwall
-