Link to home
Avatar of CraftySpaz

asked on

Best way to attach branch office SonicPoint to a main office SonicWall NSA connected via dedicated ethernet

Hello World!

We have a SonicWall NSA 220 with an existing SonicPoint N wireless access point in the main (HQ) office and want to add a SonicPoint N2 to branch office.  The branch office is connected to the HQ NSA via Comcast dedicated Ethernet line (EDL).  The network consists of a single subnet with no site-to-site VPN or anything like that, it's flat.  The EDL is a dedicated connection through provider equipment that provides a seamless network between locations.  Because we are installing the SonicPoint N2 at the branch office we cannot connect it physically to the NSA WLAN port (X6) so we need help with an alternate way to connect the N2 to the NSA.  As it stands the N2 exists on the LAN (X0).  X0 and X6 are currently bridged to allow LAN access wirelessly via the HQ WAP.  What is the best method to add the remote SP N2 to the mix?
Avatar of Irwin W.
Irwin W.
Flag of Canada image

You should setup a site to site VPN with your two sonicwalls. Once you have this, you should then be able to communicate and manage the sonic point n2 device.

I do not recommend opening and forwarding powers to get to this device across the internet.
Avatar of CraftySpaz


Sorry if I wasn't clear but there are not two sonicwall firewalls.   Just the one at the main office.  The network is flat between the locations, same subnet (10.0.X.X across the board).  This is a result of the EDL connection between locations.  The bridge is transparent to us.
Have you reviewed this sonicwalls article?  

I think that since you have a connected sites to site EDL connection. This may help you.
That article does not really apply since it regards site-to-site VPN.  However this one, is closer but we still have a problem.  We are already bridging WLAN zone (X6) to LAN Zone (X0) so that wireless devices have LAN resource access so we cannot create another bridge as instructed in the article.  If we did not already have X6 bridged to X0 then I believe the article would address the issue.  Unfortunately ours is a variation on the scenario described in the article which does not allow us to configure the solution as recommended.
Hi CraftySpaz,

I'd recommend breaking the existing's not needed in order for the WLAN to access resources on the LAN. It's a far better security best practice to have separate Zones for the WLAN and LAN traffic. This way you can completely control access to your resources. Wireless traffic should be allocated as well to differentiate, guest, mobile (tablets/smartphones) and laptops, ...but that is for another discussion. The traffic from the wireless network (WLAN) to the wired network (LAN and for that matter the DMZ) is blocked by default so simply change the Action from Deny/Discard to Allow on the applicable Access Rules (WLAN > LAN and LAN > WLAN).

To make these changes:
1. Login to the SonicWALL, go to Firewall > Access Rules
2. Select Matrix Style Viewing and select WLAN > LAN.
3. Once finished click OK and follow the same steps for the LAN > WLAN.

Try to ping a device on the LAN side from a wireless computer and you will be able to get a reply.

Then you can follow this article to resolve the issue.

Let me know if you have any questions!
An internal DHCP server is handling addresses on the LAN and bridged WLAN.  If  we reconfigure the way you describe is that method still applicable?  Typically in an unbridged setup the SonicWall has to hand on the WLAN addressed.  We could split up the subnet if needed I reckon provided that unbridging the WLAN and LAN would allow us to bridge the WLAN tunnel from the WAP.
well, I think you can if you get more equipment...
Avatar of Blue Street Tech
Blue Street Tech
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
DiverseIT,  that does make sense and if fact we have gone down that road already.  Windows DHCP is handling two subnets: LAN (X0) 10.02.X and WLAN (X6) 10.03.X.  One problem we found is that in order for the IP Helper on the SonicWall to function it's DHCP server must be disabled.  This conflicts with the setup as described in which instructs in Part 1 to ensure that the SonicWall has DHCP enabled for LAN and WLAN zones.  Might there be a way to use the WLAN tunnel interface feature without SonicWall DHCP server?
Have you tried it? I'm thinking the article was written with the assumption that another DHCP is not present so for the integrity of the article they mention DHCP must be enabled. It's worth a shot.
Any update on this?
We have achieved the desired state and I will try to post a summary of the solution shortly.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Performs as desired
Thanks for the points. I'm glad I could help!