Best way to attach branch office SonicPoint to a main office SonicWall NSA connected via dedicated ethernet

CraftySpaz
CraftySpaz used Ask the Experts™
on
Hello World!

We have a SonicWall NSA 220 with an existing SonicPoint N wireless access point in the main (HQ) office and want to add a SonicPoint N2 to branch office.  The branch office is connected to the HQ NSA via Comcast dedicated Ethernet line (EDL).  The network consists of a single subnet with no site-to-site VPN or anything like that, it's flat.  The EDL is a dedicated connection through provider equipment that provides a seamless network between locations.  Because we are installing the SonicPoint N2 at the branch office we cannot connect it physically to the NSA WLAN port (X6) so we need help with an alternate way to connect the N2 to the NSA.  As it stands the N2 exists on the LAN (X0).  X0 and X6 are currently bridged to allow LAN access wirelessly via the HQ WAP.  What is the best method to add the remote SP N2 to the mix?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nappy_dThere are a 1000 ways to skin the technology cat.

Commented:
You should setup a site to site VPN with your two sonicwalls. Once you have this, you should then be able to communicate and manage the sonic point n2 device.

I do not recommend opening and forwarding powers to get to this device across the internet.

Author

Commented:
Sorry if I wasn't clear but there are not two sonicwall firewalls.   Just the one at the main office.  The network is flat between the locations, same subnet (10.0.X.X across the board).  This is a result of the EDL connection between locations.  The bridge is transparent to us.
nappy_dThere are a 1000 ways to skin the technology cat.

Commented:
Have you reviewed this sonicwalls article?  

I think that since you have a connected sites to site EDL connection. This may help you.

https://support.software.dell.com/fr-ca/kb/sw11970
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
That article does not really apply since it regards site-to-site VPN.  However this one, https://support.software.dell.com/sonicwall-nsa-series/kb/sw11272 is closer but we still have a problem.  We are already bridging WLAN zone (X6) to LAN Zone (X0) so that wireless devices have LAN resource access so we cannot create another bridge as instructed in the article.  If we did not already have X6 bridged to X0 then I believe the article would address the issue.  Unfortunately ours is a variation on the scenario described in the article which does not allow us to configure the solution as recommended.
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Hi CraftySpaz,

I'd recommend breaking the existing Bridge...it's not needed in order for the WLAN to access resources on the LAN. It's a far better security best practice to have separate Zones for the WLAN and LAN traffic. This way you can completely control access to your resources. Wireless traffic should be allocated as well to differentiate, guest, mobile (tablets/smartphones) and laptops, ...but that is for another discussion. The traffic from the wireless network (WLAN) to the wired network (LAN and for that matter the DMZ) is blocked by default so simply change the Action from Deny/Discard to Allow on the applicable Access Rules (WLAN > LAN and LAN > WLAN).

To make these changes:
1. Login to the SonicWALL, go to Firewall > Access Rules
2. Select Matrix Style Viewing and select WLAN > LAN.
3. Once finished click OK and follow the same steps for the LAN > WLAN.

Try to ping a device on the LAN side from a wireless computer and you will be able to get a reply.

Then you can follow this article https://support.software.dell.com/sonicwall-nsa-series/kb/sw11272 to resolve the issue.

Let me know if you have any questions!

Author

Commented:
An internal DHCP server is handling addresses on the LAN and bridged WLAN.  If  we reconfigure the way you describe is that method still applicable?  Typically in an unbridged setup the SonicWall has to hand on the WLAN addressed.  We could split up the subnet if needed I reckon provided that unbridging the WLAN and LAN would allow us to bridge the WLAN tunnel from the WAP.
well, I think you can if you get more equipment...
Blue Street TechLast Knight
Distinguished Expert 2018
Commented:
Is Windows handling your LAN DHCP?

Regardless, Windows or whatever is currently handling your LAN DHCP can also fully handle your WLAN DHCP role too. You just need to create another scope in the other DHCP and then forward the DHCP traffic in the SonicWALL via IP Helper DHCP Relay.

Make sense?

Author

Commented:
DiverseIT,  that does make sense and if fact we have gone down that road already.  Windows DHCP is handling two subnets: LAN (X0) 10.02.X and WLAN (X6) 10.03.X.  One problem we found is that in order for the IP Helper on the SonicWall to function it's DHCP server must be disabled.  This conflicts with the setup as described in https://support.software.dell.com/sonicwall-nsa-series/kb/sw11272 which instructs in Part 1 to ensure that the SonicWall has DHCP enabled for LAN and WLAN zones.  Might there be a way to use the WLAN tunnel interface feature without SonicWall DHCP server?
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Have you tried it? I'm thinking the article was written with the assumption that another DHCP is not present so for the integrity of the article they mention DHCP must be enabled. It's worth a shot.
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Any update on this?

Author

Commented:
We have achieved the desired state and I will try to post a summary of the solution shortly.
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Awesome!
So we ended up with a configuration that works for this scenario.  We have a SonicPoint at the main office wired to X6 on the SonicWall NSA and we have another SonicPoint across town at the branch office simply connected to the LAN (X0).  In order to make this work we had to use a WLAN tunnel to bridge X0 to X6 for the SonicPoint connected only to the LAN and also bridge X6 to X0 for wireless LAN access when connected wirelessly at the main office.  See the Network Interface screen shot below:

Other considerations and adjustments that were also made, including:
•      Remove PortShield from NSA network interface because while enabled you cannot utilize more than one instance of bridging
•      Adding new DHCP scope to Windows server to handle wireless Tunnel traffic from branch office over LAN (10.0.3.X).  This scope is specifically for wireless clients at the branch office.
•      Enable IP Helper on the SonicWall NSA for relay protocols & policies:  DHCP, NetBIOS, DNS, and Time

 SonicWall NSA Network Interface Settings

Author

Commented:
Performs as desired
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Thanks for the points. I'm glad I could help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial