Questions

How do I configure internet access on a SonicWALL Site-to-Site VPN?

+
0 Votes
Locked

How do I configure internet access on a SonicWALL Site-to-Site VPN?

zfreeman
I am trying to connect two sites using a VPN between two SonicWALL appliances. The central site is using SonicWALL TZ 200, and the remote site is using a TZ 170. The central site has 13 users, and the remote site has 3 users. The VPN connection gets established. I can ping between the sites, and I can connect to the shared network resources. My problem is that the remote site cannot browse the internet. I am using Internet Explorer 8 on two of the three computers at the remote site and IE9 on the third. For a few minutes,

I am using the Comcast cable modem at the remote site as a bridge, with DHCP being provided by the TZ 200 at the central site.

In the log at the central site, I see errors that UDP connection dropped, then a few that say ICMP Packet dropped, and then TCP connection dropped. On the computers at the remote site, when I run the troubleshooter on the network connection, if it says anything, it will say that the DNS server is not responding. The DNS servers are assigned by the central TZ 200. Computers at the central site have no problem connecting to the internet.

I used the setup at this link: http://www.sonicwall.com/downloads/Site_to_Site_VPN_Using_DHCP_over_VPn__SonicOS_Enhanced_at__.pdf

Any ideas on how to get the remote sites connected to the internet?
  • +
    0 Votes
    robo_dev

    Do you want the remote site users going to the Internet over the VPN using the connection at the main site, or going outbound via the cable modem at their site?

    I could be wrong but:

    Assuming your VPN is all setup properly, then in order to get to the Internet, the remote clients need to have a route to/from BOTH the inside and the outside networks of the main site which may require some NAT, some split-tunneling, some 'hairpinning'

    Thinking out loud, the issue may be either you need a static route from the external interface of the home office router to the internal interface of the remote router, or the issue is that the VPN policy/configuration is blocking this explicitly.

    I am not familiar with SonicWall config, but I think the issue is more related to nat and routing than VPN. Can the remote clients get to local web servers at home site?

    +
    0 Votes
    zfreeman

    The remote clients can get to all of the resources at the home site. I can map network drives and even print on network printers at the home site. But I think you are on to something with the split tunneling. I can now get to the internet with the changes I made below.

    I made a few changes to my configuration. I disabled Dead Packet Detection on the SonicWALL at the central site. I also changed to LAN IP of the remote SonicWALL to match that of the cable modem. The cable modem has a LAN IP of 10.1.10.1. I changed the remote SonicWALL's IP from 10.0.0.1 to 10.1.10.200. Then I added a third DNS server to the home SonicWALL to match what my ISP for the cable modem gave me. With these changes, I can now get to the internet. I don't know which one was the fix though. Since I got it working, I didn't mess with anything, but this weekend I will test to see which change did the trick.

    Now, my only problem is that I cannot ping my remote SonicWALL device using its WAN IP. I can only ping the cable modem using its WAN IP. That doesn't seem to hinder performance except that I can't remotely administer the device. That's another thing I'll be working on this weekend.

    Right now, I'm just happy that things seem to be working and users are not complaining.

    If you have any insight on either of these issues, I would appreciate it.

    Issue 1. Did disabling Dead Packet Detection at the home site get me back on the internet or was it changing the LAN IP of the remote SonicWALL to match that of the cable modem or adding the third DNS server get me on the internet?
    Issue 2. Why can I not ping my remote SonicWALL with its WAN IP?

    Thank you for your reply.

    +
    0 Votes
    zfreeman

    I never properly thanked you for your response. I think it made all the difference, prompting me to make the changes below. Thank you very much.

  • +
    0 Votes
    robo_dev

    Do you want the remote site users going to the Internet over the VPN using the connection at the main site, or going outbound via the cable modem at their site?

    I could be wrong but:

    Assuming your VPN is all setup properly, then in order to get to the Internet, the remote clients need to have a route to/from BOTH the inside and the outside networks of the main site which may require some NAT, some split-tunneling, some 'hairpinning'

    Thinking out loud, the issue may be either you need a static route from the external interface of the home office router to the internal interface of the remote router, or the issue is that the VPN policy/configuration is blocking this explicitly.

    I am not familiar with SonicWall config, but I think the issue is more related to nat and routing than VPN. Can the remote clients get to local web servers at home site?

    +
    0 Votes
    zfreeman

    The remote clients can get to all of the resources at the home site. I can map network drives and even print on network printers at the home site. But I think you are on to something with the split tunneling. I can now get to the internet with the changes I made below.

    I made a few changes to my configuration. I disabled Dead Packet Detection on the SonicWALL at the central site. I also changed to LAN IP of the remote SonicWALL to match that of the cable modem. The cable modem has a LAN IP of 10.1.10.1. I changed the remote SonicWALL's IP from 10.0.0.1 to 10.1.10.200. Then I added a third DNS server to the home SonicWALL to match what my ISP for the cable modem gave me. With these changes, I can now get to the internet. I don't know which one was the fix though. Since I got it working, I didn't mess with anything, but this weekend I will test to see which change did the trick.

    Now, my only problem is that I cannot ping my remote SonicWALL device using its WAN IP. I can only ping the cable modem using its WAN IP. That doesn't seem to hinder performance except that I can't remotely administer the device. That's another thing I'll be working on this weekend.

    Right now, I'm just happy that things seem to be working and users are not complaining.

    If you have any insight on either of these issues, I would appreciate it.

    Issue 1. Did disabling Dead Packet Detection at the home site get me back on the internet or was it changing the LAN IP of the remote SonicWALL to match that of the cable modem or adding the third DNS server get me on the internet?
    Issue 2. Why can I not ping my remote SonicWALL with its WAN IP?

    Thank you for your reply.

    +
    0 Votes
    zfreeman

    I never properly thanked you for your response. I think it made all the difference, prompting me to make the changes below. Thank you very much.