Basic WAN GroupVPN setup on Dell 12800 SOHO
New to VPN configuration on the SonicWall. I followed the instructions to a T with regard to setting up a WAN GroupVPN and adding a Local User account. Now I just need to determine how to go about allowing limited access to a specific appliance on our network for a local HVAC company to be able to access. They prefer the VPN method which is why I'm trying this out first, before going the public IP route.
I have already assigned a static IP on node X0 for the management controller the HVAC company wants to access. Is there a way to limit their access to just that device through the VPN tunnel, or would it require creating some sort of new zone and adding that IP into the zone?
I should also mention I am very unfamiliar with what "network" choice I should choose for the local user account under VPN Client Access Networks. I was guessing maybe LAN Interface IP, or LAN Subnets? Any help would be greatly appreciated! FYI, this is for a public school, not some multi-million dollar a year corporation.
Think about what you are trying to accomplish. If your GroupVPN allows access to "LAN Subnets" than that includes the entirety of your internal network. You don't want that. You want to select an address object that represents the HVAC device.
The same thought applies to the user account being used to login.
The big question is do other users use GVPN for remote access?
Thanks for your response. As far as I know, the HVAC company will be the only one remoting into the SonicWall for access. I went ahead and added an address object called "HVAC Controller" with VPN as the Zone and used the MAC address option for the specific piece of hardware they're using.
I'm still not entirely familiar with all the options that are available to be chosen under the VPN Client Access Networks though. I want to make sure I choose the correct one that will allow them to access that appliance, but with additional access to the network limited. Going for the "best practices" approach here. I'm only in my first year and half of networking so, still taking it all in, and this is the first time using the SonicWall interface.
Is there something else I should be considering, or looking for in order to configure the VPN properly?
Familiarize yourself with the concepts of zone based firewalling and object oriented management/programming. These concepts are fundamental to firewall management. You dont need to learn programming you just have to understand the idea behind object oriented models.
A good visual reference for zone based firewalling:
That said, putting a device that is on the LAN (the HVAC controller) in a VPN 'zone' is incorrect. You also wouldn't want to use a MAC address as that is layer 2 of the OSI model and firewalling (and VPNing) are layer 3. So you'd want to use the IP address of the device.
If you are unfamiliar with the OSI model concept:
Best practices come from experience. A vendor won't always give you best practices. Limit everything to only what is essential for its functionality. Security is of utmost importance. Welcome to the wild west.