Avatar of CraftySpaz
CraftySpaz
 asked on

Best way to attach branch office SonicPoint to a main office SonicWall NSA connected via dedicated ethernet

Hello World!

We have a SonicWall NSA 220 with an existing SonicPoint N wireless access point in the main (HQ) office and want to add a SonicPoint N2 to branch office.  The branch office is connected to the HQ NSA via Comcast dedicated Ethernet line (EDL).  The network consists of a single subnet with no site-to-site VPN or anything like that, it's flat.  The EDL is a dedicated connection through provider equipment that provides a seamless network between locations.  Because we are installing the SonicPoint N2 at the branch office we cannot connect it physically to the NSA WLAN port (X6) so we need help with an alternate way to connect the N2 to the NSA.  As it stands the N2 exists on the LAN (X0).  X0 and X6 are currently bridged to allow LAN access wirelessly via the HQ WAP.  What is the best method to add the remote SP N2 to the mix?
Hardware FirewallsWireless NetworkingNetwork ArchitectureRoutersWireless Hardware

Avatar of undefined
Last Comment
Blue Street Tech

8/22/2022 - Mon
Irwin W.

You should setup a site to site VPN with your two sonicwalls. Once you have this, you should then be able to communicate and manage the sonic point n2 device.

I do not recommend opening and forwarding powers to get to this device across the internet.
CraftySpaz

ASKER
Sorry if I wasn't clear but there are not two sonicwall firewalls.   Just the one at the main office.  The network is flat between the locations, same subnet (10.0.X.X across the board).  This is a result of the EDL connection between locations.  The bridge is transparent to us.
Irwin W.

Have you reviewed this sonicwalls article?  

I think that since you have a connected sites to site EDL connection. This may help you.

https://support.software.dell.com/fr-ca/kb/sw11970
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
CraftySpaz

ASKER
That article does not really apply since it regards site-to-site VPN.  However this one, https://support.software.dell.com/sonicwall-nsa-series/kb/sw11272 is closer but we still have a problem.  We are already bridging WLAN zone (X6) to LAN Zone (X0) so that wireless devices have LAN resource access so we cannot create another bridge as instructed in the article.  If we did not already have X6 bridged to X0 then I believe the article would address the issue.  Unfortunately ours is a variation on the scenario described in the article which does not allow us to configure the solution as recommended.
Blue Street Tech

Hi CraftySpaz,

I'd recommend breaking the existing Bridge...it's not needed in order for the WLAN to access resources on the LAN. It's a far better security best practice to have separate Zones for the WLAN and LAN traffic. This way you can completely control access to your resources. Wireless traffic should be allocated as well to differentiate, guest, mobile (tablets/smartphones) and laptops, ...but that is for another discussion. The traffic from the wireless network (WLAN) to the wired network (LAN and for that matter the DMZ) is blocked by default so simply change the Action from Deny/Discard to Allow on the applicable Access Rules (WLAN > LAN and LAN > WLAN).

To make these changes:
1. Login to the SonicWALL, go to Firewall > Access Rules
2. Select Matrix Style Viewing and select WLAN > LAN.
3. Once finished click OK and follow the same steps for the LAN > WLAN.

Try to ping a device on the LAN side from a wireless computer and you will be able to get a reply.

Then you can follow this article https://support.software.dell.com/sonicwall-nsa-series/kb/sw11272 to resolve the issue.

Let me know if you have any questions!
CraftySpaz

ASKER
An internal DHCP server is handling addresses on the LAN and bridged WLAN.  If  we reconfigure the way you describe is that method still applicable?  Typically in an unbridged setup the SonicWall has to hand on the WLAN addressed.  We could split up the subnet if needed I reckon provided that unbridging the WLAN and LAN would allow us to bridge the WLAN tunnel from the WAP.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Peter Wilson

well, I think you can if you get more equipment...
SOLUTION
Blue Street Tech

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
CraftySpaz

ASKER
DiverseIT,  that does make sense and if fact we have gone down that road already.  Windows DHCP is handling two subnets: LAN (X0) 10.02.X and WLAN (X6) 10.03.X.  One problem we found is that in order for the IP Helper on the SonicWall to function it's DHCP server must be disabled.  This conflicts with the setup as described in https://support.software.dell.com/sonicwall-nsa-series/kb/sw11272 which instructs in Part 1 to ensure that the SonicWall has DHCP enabled for LAN and WLAN zones.  Might there be a way to use the WLAN tunnel interface feature without SonicWall DHCP server?
Blue Street Tech

Have you tried it? I'm thinking the article was written with the assumption that another DHCP is not present so for the integrity of the article they mention DHCP must be enabled. It's worth a shot.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Blue Street Tech

Any update on this?
CraftySpaz

ASKER
We have achieved the desired state and I will try to post a summary of the solution shortly.
Blue Street Tech

Awesome!
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
CraftySpaz

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
CraftySpaz

ASKER
Performs as desired
Blue Street Tech

Thanks for the points. I'm glad I could help!