Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


VLAN over VPN Configuration

I have clients that are beginning to ask for more advanced configurations of their firewalls. Currently, one is asking to allow VLAN traffic over an existing site to site VPN.

Going from a TZ 600 to TZ 500 site to site. The client wants both sides to see the same vlans. We isolate with vlans per device type. Phone. Cameras. Doors. Special function printers. Etc.

Is this possible? I have not read anything that suggests it is doable, but it seems logical.

Category: Entry Level Firewalls


  • Options
    MustafaAMustafaA SonicWall Employee

    Hoping that I understood you correctly, the VLAN subnet in question, should be part of the Local/Remote Network negotiation, if it is policy base VPN. If it is route based VPN, you have to adjust the routing policies.

  • Options
    MustafaAMustafaA SonicWall Employee

    For instance;

    Site-A has X0 subnet and X0:V40

    Site-B has X0 subnet 192.168.10/24

    Site-A VPN Config:

    Local Network: X0 Subnet + X0:V40 Subnet

    Remote Network: X0 subnet 192.168.10/24 which is based on VPN Zone.

    Site-B VPN Config:

    Local Network: X0 subnet 192.168.10/24

    Remote Network: X0 Subnet + X0:V40 Subnet which are based on VPN Zone.

  • Options
    AjishlalAjishlal Community Legend ✭✭✭✭✭

    @SonicBoom ,

    You can add VLAN subnets in existing in site to site VPN.

  • Options
    TKWITSTKWITS Community Legend ✭✭✭✭✭

    @Arkwright has the best answer.

  • Options
    SonicBoomSonicBoom Newbie ✭

    In this post, I've heard a definitive no and a definitive yes. The goal IS to tag vlan traffic to cross to physically different sites over VPN.

    For example, I want to isolate camera IP, door IP, rfid reader IP, and printer IP traffic at site B and see it at site A. The VPN is in place.

    In VPN policies, I have my gateway with a few destination ranges. At site B, same pointing back across with "sister" ranges. It seems like it should be doable, but I have not been able to ping the device across the vpn. I can ping on the local side to the device. The ARPs have the interface IP's from each respective side.

    Is it doable or no? If yes, exactly how is the only way I'm going to crack this nut.

  • Options
    BWCBWC Cybersecurity Overlord ✭✭✭

    @SonicBoom I might repeat myself, but if you really like to spread a single Layer2 domain via VPN you need something like EoIP (Ethernet-over-IP) which SNWL can't do.

    I did this in the past with the help of Mikrotik Routerboards.

    This comes with some downsides and I would recommend to do this via Layer3 if possible, meaning not having the same subnet on both sides, VLAN tagging does not matter for L3.


Sign In or Register to comment.