Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Native Windows L2TP Split tunnel has no access to LAN behind TZ300

We have done this MANY times and it works perfectly, but I have one site that it just wont. Its a single site with no SITE-to-SITE VPNs. We use the native Windows VPN client with an L2TP/PSK connection to a SonicWall, in this case a TZ300AC with the latest code. The LAN interface is at 192.168.1.1/24 (I know...), the WAN is dynamic PPPoE. We set a DHCP range in the SonicWall's L2TP configuration to use a subset of the LAN interface's subnet because we want to split the tunnel (NOT use the default gateway on the VPN interface) to avoid unnecessary traffic and filtering. The firewall rules are in place to allow ANY/ANY to/from the L2TP Pool and the LAN. The remote PC is NOT the same subnet as the the SonicWall's LAN so no conflict. It connects fine, but we get no responses to pings but we do see the pings being forwarded to the internal host in packet monitor, just no responses received on the SonicWall's LAN interface...... ARP issue?!

Yes, if we change the subnet in the SonicWall's L2TP configuration to something outside the LAN's subnet AND use the default gateway on the VPN interface in Windows, it works, but then we don't have a split tunnel.

So, hopefully someone has seen/lived this and has a viable solution or suggestion. Like I said, we have many sites configured similarly and it usually works perfectly, just not this one..... and its a simple site...


Frustrated_Freddy

Category: Entry Level Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    SaravananSaravanan Moderator
    Accepted Answer

    Hi @Fearless_Freddy,

    Thank you for visiting SonicWall Community.

    Please create a NAT policy as mentioned below and check if it does the trick. This NAT policy is Source Translation NAT policy.

    • Source: L2TP IP Pool
    • Translated Source: X0 IP (select the address object of the SonicWall's LAN IP that is pingable from the L2TP client)
    • Destination: Select the address object/group of the local resources that should be accessible from the L2TP client
    • Translated Destination: Original
    • Service: Any
    • Translated Service: Original
    • Inbound Interface: Any
    • Outbound Interface: Any

    Please create this NAT policy, disconnect the L2TP VPN, connect it back and try the VPN access. Keep me notified on this please.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Answers

  • SaravananSaravanan Moderator

    Hi @FEARLESS_FREDDY,

    Thank you for visiting SonicWall Community.

    I can give couple of suggestions and ask you to check.

    • Could you please try disabling windows firewall on the Internal Host were pings requests are getting forwarded to?
    • Similarly, please turn of the Anti-Virus for testing if any on the Internal Host.
    • Could you please try to check if Ping to the Internal Host works from the SonicWall itself?
    • From the packet capture verify the destination MAC address on the Ping request sent and make sure it belongs to the Internal Host?

    Let me know how it goes and we can drive it further.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Fearless_FreddyFearless_Freddy Newbie ✭

    Windows Firewall was disabled and there is no AV on this host. Other non-Windows devices like printers and switches were tested, again with no response.

    Pings from the SonicWall to the various hosts work fine.

    MAC addresses look fine.

    The only ping that works is to the SonicWall's LAN IP....

  • Fearless_FreddyFearless_Freddy Newbie ✭

    What blows my mind is that I checked another site but with a TZ350, same 192.168.1.1/24 LAN subnet, same firmware, not PPPoE though, worked fine without the source NAT......

  • SaravananSaravanan Moderator

    Hi @FEARLESS_FREDDY,

    Source translation NAT is a trick that is played in order to seek response from the end machine. This is not only applicable for VPN access but may be for any scenario where there is no response from the end machine but the end machine is reachable from the SonicWall appliance.

    Glad that I was able to help you! Have a good one!!!

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Sign In or Register to comment.