Setting up a SonicWall TZ 210 behind a border router

By jeff.friend ·

So let me describe my situation. I have 2 sites that I would like to connect together using a hardware VPN(2 x TZ 210s) Site A has the SonicWall TZ 210 setup as the border router. Site B the TZ 210 is setup behind a border router. We unfortunately do not have control over this since we rent office space and they provide the internet access. What is the best method for a VPN connection between the two sites. Can I do this without forwarding ports/services? If not what ports/services will need to be forwarded? If this isn't enough info please let me know what you would need for an informed decision.

Any help would be appreciated.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by christianshiflet In reply to Setting up a SonicWall TZ ...

You say the office/landlord provides the Internet connectivity. Do they provide a static IP address to you that your TZ uses or are you on the same LAN as other office renters from different companies?

Collapse -


by jeff.friend In reply to Re: VPN

Thanks for your reply. We are actually a part of their LAN.

Collapse -

nope on the TZ210 behind a border router

by CG IT In reply to VPN

has to be the border router for the VPN tunnels to work even if you forward ports.

Even then there is the problem that the tunnel becomes the WAN connection on the border router. The router will route all outbound traffic through the tunnel.

What you need is a border router that is in bridge mode not router mode and then have 2 routers behind the bridge mode router and 2 public addresses. Then you can have one WAN address as the persistent VPN connection between 2 sites and internet access through the other public address for clients that don't use the tunnel.

Collapse -


by christianshiflet In reply to nope on the TZ210 behind ...

I'm not sure I understand what you are stating. It is correct that you need a public IP for the VPN to function between sites (on both ends). But a VPN endpoint/router such as the TZs can determine what networks are on the other end of the tunnel and only route that traffic over the tunnel and route all other WAN traffic through the appropriate WAN port (not the VPN, but to the Internet/ISP). There would be no need for numerous routers if they had a WAN facing IP address.

Collapse -

what I'm saying is this: with only 1 WAN interface

by CG IT In reply to VPN

the router will send out all traffic out the WAN interface, however that WAN interface is configured. If you make that WAN interface a site to site VPN connection, then that's what it is. The router can not route traffic out the wan interface to the internet if that WAN interface is configured to be a Site to Site VPN Tunnel.

Collapse -

WAN interface

by christianshiflet In reply to what I'm saying is this: ...

With split tunnelling, which most VPN/Router devices including SonicWall and Cisco provide, a single public IP address absolutely can provide both site to site VPN access and Internet access through the same WAN interface.

Collapse -

ok well then tell the poster how to set up split tunnelling

by CG IT In reply to WAN interface

on his sonic wall router behind a perimeter router so he's got a site to site split tunnel.

Also tell him how to setup split tunneling if both Sonicwalls are perimeter routers so he has both a site to site VPN and internet access as well as how to setup clients to use the tunnel.

Collapse -


by christianshiflet In reply to WAN interface

Firstly, I'm not trying to argue with you. As I have stated earlier, in order to setup the VPN their router would have to have a public IP address. Secondly, the SonicWall devices will default to split tunnelling when they are setup as a router first, then a site to site VPN is added with either the Wizards they provide, or manually through the provided web interface so long as a specific network is defined for the other end of the tunnel. As for clients or travelling users with laptops or PCs, both the client software and the router configuration page for the WAN Group VPN have options to define the tunnel as the default gateway (or not, if left un-checked).

If the original poster would like more specific instructions or resources to do so because they plan on getting their own Internet service that provides them with the before mentioned and required public IP address, I would be more than happy to help them with that.

Collapse -

never gotten a Site to Site VPN to work properly

by CG IT In reply to WAN interface

the perimeter routers that were the Site to Site Endpoint and only had 1 public address.

It was to complicated from an end user standpoint and almost a daily problem, from a support standpoint.It was far easier to use client/endpoint VPN connections than site to site both from for the end user [use the VPN client program] and support [hardly any support calls].

Collapse -

Went in another direction

by jeff.friend In reply to Setting up a SonicWall TZ ...

Instead of trying to figure this out we ended up just paying for a cable internet connection at Site B. Thanks for your help.

Related Discussions

Related Forums