We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Adding a second router, keeping first for VPN only

Medium Priority
Last Modified: 2012-06-27
I have a Sonicwall TZ-170 and use it in NAT mode for internet access and VPN to connect remote offices. Since I'm reaching the limit for maximum users on the Sonicwall, I want to redirect the internet gateway to a new router while keeping the Sonicwall for VPN access only.

What's the best way to perform this setup?

P.S. New router will be PFSense based custom box.

Watch Question

you will want to set default route for all traffic to new box.
 then put static route for address range that need to go over VPN to old box.

example: your network is 192.168.1.x.   Remote network 192.168.2.x



The Sonicwall only receives VPN connections, it does not initiate them. Do I still need routes using this setup? The remote computers connect through VPN and then use RDP to local workstations.

Do I have to setup the Sonicwall in transparent (standard) mode or do I still use NAT ?

you do need to route.  the end point network need to route to vpn box.  otherwise, the traffic will come in from old box and attempt to go out on new box. result vpn tunnel establish but traffic is not pass between each other.


Sorry for the delay, just didn't have time for this problem lately.
So if I understand right:

Oldbox's IP =
Newbox's IP =

On newbox I have to create a route for EACH of my remote networks using VPN
No route creation needed on oldbox
Newbox is now used as gateway for all workstations

Since newbox is now the internet exposed device, how do I redirect VPN traffic to oldbox? Do I forward specific ports?
you need to set route statement in newbox to tell where traffic should go next.  by default all traffic will forward to wan side of the new box. but for VPN you have to tell them to go to old box next.
in pfsense
click system --> static route
click +
interface = lan
network = (or what ever your other endpoint is)
gateway =

you have to do this on every one of VPN connection you have.
no need to change anything at old box

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


OK I get the idea, can't test now but the concept is very clear. I tought there would be a simpler solution but I'll create the routes one by one as I was trying to avoid :-) Thanks.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.