Route Sonicwall TZ215 to Draytek 2860 LAN via Draytek WAN

I have a network on 192.168.1.x consisting of a Windows DHCP server, various client devices and going out via a Sonicwall TZ215.
I am installing a VOIP system which I am putting behind a Draytek 2860n doing DHCP on LAN 192.168.2.x.
The Draytek will have its own broadband connection shortly to WAN1 but in the meantime I am setting its WAN2 port to use the existing broadband on the 1.x network. It will get a DHCP address of This will remain in place when WAN1's broadband comes active both as a failover but also because I want to link it to the LAN objects within 1.x. I want the client PC's in 1x.  to be able to access the IP phones in 2.x.
It would be much easier to put everything on the one subnet but I don't want the phones to be reliant on the Windows server in any way. Nor do I want to assign the phones static IP's.

I have not done this before and am not sure what settings I need in which router to allow 1.x to bridge over to 2.x given that the Draytek will be doing NAT behind WAN2 by default. I am not sure if I need to configure a static route, IP routed subnet, or load balance policy in the Draytek. Or perhaps a VPN. Any guidance would be appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I'd tell you that you're spending unnecessary money. You could have the Sonicwall do all of the work. It can have both WAN connections and have both LANs defined on it. You could have DHCP for the VOIP LAN be handled by the Sonicwall as well. Basically, the Draytek is completely unneeded for this scenario.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
masnrock has made a valid point..  Unless there's a specific need for the Draytek that we are unaware of, you might want to consider modifying your setup
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Hi I agree with masnrock.  Here is a design I have implemented for a few of my clients that I manage with Sonicwall devices.

This will ease your troubleshooting in the future.
NetWork Design1
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Aaron TomoskySD-WAN SimplifiedCommented:
I agree about the sonicwall doing everything, but just for fun you can totally use the draytek like you want.

The way you described the 2.x computers will be able to access the 1.x subnet without doing anything.
If you want 1.x computers to access 2.x, In the sonicwall:
Make an address object for the draytek 1.254
Add a route for the 2.x subnet to use the 1.254 address object as the gateway

Then you just have to allow this upstream connection in the draytek. I don't use draytek so I can't tell you exactly how to do this but I've set this up with other routers for various reasons with success.
nappy_d raised another valid point. Were you planning to do VLANs on your switch or were you planning to get a separate switch?
smickellAuthor Commented:
Lots of useful points here. First up, I will ditch the Draytek - less kit to worry about. Part of the reason was my greater familiarity with the Draytek, but also because I didn't realise the Sonicwall was able to do what masnrock indicated. At present Sonicwall X0 is LAN, Sonicwall X1 is WAN, the rest are unassigned. So what I will do is configure X2 as a failover WAN, plugged straight into a fibre modem; configure X3 as a DHCP server for 2.x zone and plug the new VOIP network switch into that.

I'm happy enough with configuring X2 as another WAN and configuring load balancing.

To make the Sonicwall perform DHCP on just port X3 - I'm not sure of the exact steps. At present X3-6 are mapped as a Portshield interface to X0 - I assume I take X3 out of this first? Then Interfaces > X3 - choose LAN, Static IP mode, give it an IP of and tick HTTP management options.
Then DHCP >  enable DHCP server, delete the two lease scopes currently there (must have been there by default or left as legacy by old IT provider), add Dynamic scope, tick 'interface pre-populate' and choose X3?

I assume it's possible for the Sonicwall to route between 1.x and 2.x then, but again, what are the exact steps involved? Will the device just allow this by default or do I need to add a route of some kind?

masnrock - I have a separate switch planned for the VOIP system. There is a HP 1910-24G-PoE ready to install. At present the IT network runs off a HP 1410-24G (unmanaged). Am I correct in saying that this would eliminate the need for VLANS if the switches will be operating on different subnets? (The 1920 is VLAN/QoS capable though)
Sorry for the repeated questions but the above is slightly unfamiliar territory for me.
smickellAuthor Commented:
Just showing screenshots of the steps above. It all looks OK to me but just wanting to make sure. When I added a new zone (called 'VOIP LAN' and assigned it to X3, it auto-added the access rule seen in screenshot 2. Not on-site yet to test if the rule allows access across yet.
It's really not too bad, You go within the DHCP server, and make sure to enable ONLY the DHCP range for the subnet of your VOIP LAN.

Yes, take X3 out of the Portshield group to X0. Correct again about the steps to make X3 a LAN port. The Sonicwall will automatically create a lease scope for DHCP. (Occasaionally it may not, but that is easy to define if you need to.)  Just make sure to 1) enable the DHCP server, and 2) enable the scope that reflects 2.x (leave 1.x unchecked unless you want to have the Sonicwall start to handle DHCP for the 1.x LAN as well). I don't know what the lease scopes listed are, but you can delete them if you know for sure that they are useless. Disabling them won't hurt anything, that way you can just reenable if for some reason something happens.

Sonicwalls will generally allow routing between the subnets by default. But it you look within the Firewall rules, it will be a LAN > LAN rule if you ever need to review.

If you are going to use a separate switch for the VOIP network, there is no need for VLANs. That is absolutely correct.

You pretty much have the right idea of what to do.
Are the two LANs going to use the same connection always? Or will VOIP be using the new connection that is coming in? No right or wrong answer, just depends on you.
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Also, I would not route all traffic but rather only the traffic for VoIP to x3
smickellAuthor Commented:
masnrock - the two LANs are going to use the same connection - there's more than enough bandwidth. Once the new connection is up, I might look into routing VOIP traffic exclusively via WAN x3, which I guess will be a separate question on EE :)  nappy_d - I assume that is what you mean. If that WAN drops, set the devices to use WAN x1. Similarly, if the I.T. network's WAN x1 drops, the Sonicwall should fail over to WAN x3. Is this achievable? This is my final question on this topic, you guys have earned your keep by this stage.
The short answer is yes, this is achievable. ANd rather than type out a whole ong thing, here's a link that gives you the steps: Sonicwall Failover Directions

Basic Active/Passive Failover is what is applicable in your case.
smickellAuthor Commented:
Worked a treat guys. Plugged the new switch into port X3, 2.x addresses came up just as I wanted, so I must've got the settings correct. The auto-added access rule allowed routing from 1.x to 2.x just as masnrock said it would. Very happy - thanks for everybody's input.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.