• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 228
  • Last Modified:

Sonicwall is connected to two seperate LANs, but DHCP will only assign IP addresses from one of those LANs to VPN clients

I have a Sonicwall 3060 connected to two seperate LANs (each LAN being a different company).  These two companies are sharing the Sonicwall and the T1 internet connection.  Company 1 is connected to the X0 interface, Company 2 is connected to the X2 interface, and the internet is on the X1 interface.  These two companies and their users must be isolated from each other as Company 2 is a health care company and governed by HIPAA privacy rules.

The problem is when users connect to their respective LANs via the VPN client, they are only getting assigned an IP address from Company 1.  First I tried using the Sonicwall as a DHCP server, then using a Windows DHCP server on each LAN.  I got the same results both ways.

How can I set it up so that users from Company 1 will get an IP address for their LAN (192.168.1.x) and users from Company 2 will get one from their IP range (192.168.2.x) when they connect using the Global VPN Client?

  • 2
1 Solution
zephyr_hex (Megan)DeveloperCommented:
since you have only 1 internet connection, how does the sonicwall know which company to forward an incoming connection to?  you only have 1 external IP.  a remote user will use that external IP when they specify where they are connecting to... but i don't see how you will specify which company that incoming connection belongs to.
i believe you need 2 static IP addresses.  your sonicwall will then know which incoming connection belongs to which company (one static IP per company).  you will have to configure a global VPN client for each static IP.
mtkaiserAuthor Commented:
There are two different groups of VPN clients (Company 1 Group and Company 2 Group).  Each group is only allowed to connect to their own LANs.  That rule is working, however, when people from Company 2 connect to their LAN, they are being assigned an IP address from the Company 1 LAN.
Keith AlabasterCommented:
The point zephyr is making is that there has to be a'distinguisher' between the two vpn groups on the outside; not just on the inside. When a vpn call comes in from the outside, the Sonic needs to know at that point which group the user belongs to so it can take the appropriate action. In your case, it is assign an address from the correct dhcp pool.

Cisco VPN concentrators for example have a group setting where you can put source ip addresses/users etc into so that it can assign the correct addresses as required. I believe that Sonic can do the same but by using differet external IP's.

For example, if you had two external IP addresses assigned to the external interface of your Sonic, you can take one set of actions for that group and different set of actions for company 2 as they will have called the VPN on the second IP address.

Another alternative would be to have a second Internet connection & firewall so each would be kept seperate.

Only other solution I can think of is something like Cisco's Access Control Server (ACS) where you put the users into groups that the external device can check as connections are made so as to know, in advance, the decisions it needs to make such as which DHCP server and the like.

Sorry it likely does not serve your needs but that is the way it works.

Keith AlabasterCommented:
O well, your welcome anyway.


Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now