Best way to attach branch office SonicPoint to a main office SonicWall NSA connected via dedicated ethernet

Hello World!

We have a SonicWall NSA 220 with an existing SonicPoint N wireless access point in the main (HQ) office and want to add a SonicPoint N2 to branch office.  The branch office is connected to the HQ NSA via Comcast dedicated Ethernet line (EDL).  The network consists of a single subnet with no site-to-site VPN or anything like that, it's flat.  The EDL is a dedicated connection through provider equipment that provides a seamless network between locations.  Because we are installing the SonicPoint N2 at the branch office we cannot connect it physically to the NSA WLAN port (X6) so we need help with an alternate way to connect the N2 to the NSA.  As it stands the N2 exists on the LAN (X0).  X0 and X6 are currently bridged to allow LAN access wirelessly via the HQ WAP.  What is the best method to add the remote SP N2 to the mix?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nappy_dThere are a 1000 ways to skin the technology cat.Commented:
You should setup a site to site VPN with your two sonicwalls. Once you have this, you should then be able to communicate and manage the sonic point n2 device.

I do not recommend opening and forwarding powers to get to this device across the internet.
CraftySpazAuthor Commented:
Sorry if I wasn't clear but there are not two sonicwall firewalls.   Just the one at the main office.  The network is flat between the locations, same subnet (10.0.X.X across the board).  This is a result of the EDL connection between locations.  The bridge is transparent to us.
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Have you reviewed this sonicwalls article?  

I think that since you have a connected sites to site EDL connection. This may help you.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

CraftySpazAuthor Commented:
That article does not really apply since it regards site-to-site VPN.  However this one, is closer but we still have a problem.  We are already bridging WLAN zone (X6) to LAN Zone (X0) so that wireless devices have LAN resource access so we cannot create another bridge as instructed in the article.  If we did not already have X6 bridged to X0 then I believe the article would address the issue.  Unfortunately ours is a variation on the scenario described in the article which does not allow us to configure the solution as recommended.
Blue Street TechLast KnightCommented:
Hi CraftySpaz,

I'd recommend breaking the existing's not needed in order for the WLAN to access resources on the LAN. It's a far better security best practice to have separate Zones for the WLAN and LAN traffic. This way you can completely control access to your resources. Wireless traffic should be allocated as well to differentiate, guest, mobile (tablets/smartphones) and laptops, ...but that is for another discussion. The traffic from the wireless network (WLAN) to the wired network (LAN and for that matter the DMZ) is blocked by default so simply change the Action from Deny/Discard to Allow on the applicable Access Rules (WLAN > LAN and LAN > WLAN).

To make these changes:
1. Login to the SonicWALL, go to Firewall > Access Rules
2. Select Matrix Style Viewing and select WLAN > LAN.
3. Once finished click OK and follow the same steps for the LAN > WLAN.

Try to ping a device on the LAN side from a wireless computer and you will be able to get a reply.

Then you can follow this article to resolve the issue.

Let me know if you have any questions!
CraftySpazAuthor Commented:
An internal DHCP server is handling addresses on the LAN and bridged WLAN.  If  we reconfigure the way you describe is that method still applicable?  Typically in an unbridged setup the SonicWall has to hand on the WLAN addressed.  We could split up the subnet if needed I reckon provided that unbridging the WLAN and LAN would allow us to bridge the WLAN tunnel from the WAP.
Peter WilsonITCommented:
well, I think you can if you get more equipment...
Blue Street TechLast KnightCommented:
Is Windows handling your LAN DHCP?

Regardless, Windows or whatever is currently handling your LAN DHCP can also fully handle your WLAN DHCP role too. You just need to create another scope in the other DHCP and then forward the DHCP traffic in the SonicWALL via IP Helper DHCP Relay.

Make sense?
CraftySpazAuthor Commented:
DiverseIT,  that does make sense and if fact we have gone down that road already.  Windows DHCP is handling two subnets: LAN (X0) 10.02.X and WLAN (X6) 10.03.X.  One problem we found is that in order for the IP Helper on the SonicWall to function it's DHCP server must be disabled.  This conflicts with the setup as described in which instructs in Part 1 to ensure that the SonicWall has DHCP enabled for LAN and WLAN zones.  Might there be a way to use the WLAN tunnel interface feature without SonicWall DHCP server?
Blue Street TechLast KnightCommented:
Have you tried it? I'm thinking the article was written with the assumption that another DHCP is not present so for the integrity of the article they mention DHCP must be enabled. It's worth a shot.
Blue Street TechLast KnightCommented:
Any update on this?
CraftySpazAuthor Commented:
We have achieved the desired state and I will try to post a summary of the solution shortly.
Blue Street TechLast KnightCommented:
CraftySpazAuthor Commented:
So we ended up with a configuration that works for this scenario.  We have a SonicPoint at the main office wired to X6 on the SonicWall NSA and we have another SonicPoint across town at the branch office simply connected to the LAN (X0).  In order to make this work we had to use a WLAN tunnel to bridge X0 to X6 for the SonicPoint connected only to the LAN and also bridge X6 to X0 for wireless LAN access when connected wirelessly at the main office.  See the Network Interface screen shot below:

Other considerations and adjustments that were also made, including:
•      Remove PortShield from NSA network interface because while enabled you cannot utilize more than one instance of bridging
•      Adding new DHCP scope to Windows server to handle wireless Tunnel traffic from branch office over LAN (10.0.3.X).  This scope is specifically for wireless clients at the branch office.
•      Enable IP Helper on the SonicWall NSA for relay protocols & policies:  DHCP, NetBIOS, DNS, and Time

 SonicWall NSA Network Interface Settings

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CraftySpazAuthor Commented:
Performs as desired
Blue Street TechLast KnightCommented:
Thanks for the points. I'm glad I could help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.