Route Sonicwall TZ215 to Draytek 2860 LAN via Draytek WAN

Posted on 2014-07-25
Last Modified: 2014-07-29
I have a network on 192.168.1.x consisting of a Windows DHCP server, various client devices and going out via a Sonicwall TZ215.
I am installing a VOIP system which I am putting behind a Draytek 2860n doing DHCP on LAN 192.168.2.x.
The Draytek will have its own broadband connection shortly to WAN1 but in the meantime I am setting its WAN2 port to use the existing broadband on the 1.x network. It will get a DHCP address of This will remain in place when WAN1's broadband comes active both as a failover but also because I want to link it to the LAN objects within 1.x. I want the client PC's in 1x.  to be able to access the IP phones in 2.x.
It would be much easier to put everything on the one subnet but I don't want the phones to be reliant on the Windows server in any way. Nor do I want to assign the phones static IP's.

I have not done this before and am not sure what settings I need in which router to allow 1.x to bridge over to 2.x given that the Draytek will be doing NAT behind WAN2 by default. I am not sure if I need to configure a static route, IP routed subnet, or load balance policy in the Draytek. Or perhaps a VPN. Any guidance would be appreciated.
Question by:smickell
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +2
LVL 29

Accepted Solution

masnrock earned 400 total points
ID: 40221428
I'd tell you that you're spending unnecessary money. You could have the Sonicwall do all of the work. It can have both WAN connections and have both LANs defined on it. You could have DHCP for the VOIP LAN be handled by the Sonicwall as well. Basically, the Draytek is completely unneeded for this scenario.
LVL 14

Expert Comment

ID: 40221522
masnrock has made a valid point..  Unless there's a specific need for the Draytek that we are unaware of, you might want to consider modifying your setup
LVL 32

Assisted Solution

nappy_d earned 100 total points
ID: 40221537
Hi I agree with masnrock.  Here is a design I have implemented for a few of my clients that I manage with Sonicwall devices.

This will ease your troubleshooting in the future.
NetWork Design1
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40221596
I agree about the sonicwall doing everything, but just for fun you can totally use the draytek like you want.

The way you described the 2.x computers will be able to access the 1.x subnet without doing anything.
If you want 1.x computers to access 2.x, In the sonicwall:
Make an address object for the draytek 1.254
Add a route for the 2.x subnet to use the 1.254 address object as the gateway

Then you just have to allow this upstream connection in the draytek. I don't use draytek so I can't tell you exactly how to do this but I've set this up with other routers for various reasons with success.
LVL 29

Expert Comment

ID: 40221801
nappy_d raised another valid point. Were you planning to do VLANs on your switch or were you planning to get a separate switch?

Author Comment

ID: 40222589
Lots of useful points here. First up, I will ditch the Draytek - less kit to worry about. Part of the reason was my greater familiarity with the Draytek, but also because I didn't realise the Sonicwall was able to do what masnrock indicated. At present Sonicwall X0 is LAN, Sonicwall X1 is WAN, the rest are unassigned. So what I will do is configure X2 as a failover WAN, plugged straight into a fibre modem; configure X3 as a DHCP server for 2.x zone and plug the new VOIP network switch into that.

I'm happy enough with configuring X2 as another WAN and configuring load balancing.

To make the Sonicwall perform DHCP on just port X3 - I'm not sure of the exact steps. At present X3-6 are mapped as a Portshield interface to X0 - I assume I take X3 out of this first? Then Interfaces > X3 - choose LAN, Static IP mode, give it an IP of and tick HTTP management options.
Then DHCP >  enable DHCP server, delete the two lease scopes currently there (must have been there by default or left as legacy by old IT provider), add Dynamic scope, tick 'interface pre-populate' and choose X3?

I assume it's possible for the Sonicwall to route between 1.x and 2.x then, but again, what are the exact steps involved? Will the device just allow this by default or do I need to add a route of some kind?

masnrock - I have a separate switch planned for the VOIP system. There is a HP 1910-24G-PoE ready to install. At present the IT network runs off a HP 1410-24G (unmanaged). Am I correct in saying that this would eliminate the need for VLANS if the switches will be operating on different subnets? (The 1920 is VLAN/QoS capable though)
Sorry for the repeated questions but the above is slightly unfamiliar territory for me.

Author Comment

ID: 40222616
Just showing screenshots of the steps above. It all looks OK to me but just wanting to make sure. When I added a new zone (called 'VOIP LAN' and assigned it to X3, it auto-added the access rule seen in screenshot 2. Not on-site yet to test if the rule allows access across yet.
LVL 29

Expert Comment

ID: 40222622
It's really not too bad, You go within the DHCP server, and make sure to enable ONLY the DHCP range for the subnet of your VOIP LAN.

Yes, take X3 out of the Portshield group to X0. Correct again about the steps to make X3 a LAN port. The Sonicwall will automatically create a lease scope for DHCP. (Occasaionally it may not, but that is easy to define if you need to.)  Just make sure to 1) enable the DHCP server, and 2) enable the scope that reflects 2.x (leave 1.x unchecked unless you want to have the Sonicwall start to handle DHCP for the 1.x LAN as well). I don't know what the lease scopes listed are, but you can delete them if you know for sure that they are useless. Disabling them won't hurt anything, that way you can just reenable if for some reason something happens.

Sonicwalls will generally allow routing between the subnets by default. But it you look within the Firewall rules, it will be a LAN > LAN rule if you ever need to review.

If you are going to use a separate switch for the VOIP network, there is no need for VLANs. That is absolutely correct.

You pretty much have the right idea of what to do.
LVL 29

Expert Comment

ID: 40222624
Are the two LANs going to use the same connection always? Or will VOIP be using the new connection that is coming in? No right or wrong answer, just depends on you.
LVL 32

Expert Comment

ID: 40222649
Also, I would not route all traffic but rather only the traffic for VoIP to x3

Author Comment

ID: 40222819
masnrock - the two LANs are going to use the same connection - there's more than enough bandwidth. Once the new connection is up, I might look into routing VOIP traffic exclusively via WAN x3, which I guess will be a separate question on EE :)  nappy_d - I assume that is what you mean. If that WAN drops, set the devices to use WAN x1. Similarly, if the I.T. network's WAN x1 drops, the Sonicwall should fail over to WAN x3. Is this achievable? This is my final question on this topic, you guys have earned your keep by this stage.
LVL 29

Expert Comment

ID: 40222838
The short answer is yes, this is achievable. ANd rather than type out a whole ong thing, here's a link that gives you the steps: Sonicwall Failover Directions

Basic Active/Passive Failover is what is applicable in your case.

Author Closing Comment

ID: 40227722
Worked a treat guys. Plugged the new switch into port X3, 2.x addresses came up just as I wanted, so I must've got the settings correct. The auto-added access rule allowed routing from 1.x to 2.x just as masnrock said it would. Very happy - thanks for everybody's input.

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question