Native Windows L2TP Split tunnel has no access to LAN behind TZ300
Fearless_Freddy
Newbie ✭
We have done this MANY times and it works perfectly, but I have one site that it just wont. Its a single site with no SITE-to-SITE VPNs. We use the native Windows VPN client with an L2TP/PSK connection to a SonicWall, in this case a TZ300AC with the latest code. The LAN interface is at 192.168.1.1/24 (I know...), the WAN is dynamic PPPoE. We set a DHCP range in the SonicWall's L2TP configuration to use a subset of the LAN interface's subnet because we want to split the tunnel (NOT use the default gateway on the VPN interface) to avoid unnecessary traffic and filtering. The firewall rules are in place to allow ANY/ANY to/from the L2TP Pool and the LAN. The remote PC is NOT the same subnet as the the SonicWall's LAN so no conflict. It connects fine, but we get no responses to pings but we do see the pings being forwarded to the internal host in packet monitor, just no responses received on the SonicWall's LAN interface...... ARP issue?!
Yes, if we change the subnet in the SonicWall's L2TP configuration to something outside the LAN's subnet AND use the default gateway on the VPN interface in Windows, it works, but then we don't have a split tunnel.
So, hopefully someone has seen/lived this and has a viable solution or suggestion. Like I said, we have many sites configured similarly and it usually works perfectly, just not this one..... and its a simple site...
Frustrated_Freddy
Best Answer
-
CORRECT ANSWER
Saravanan
Moderator
Hi @Fearless_Freddy,
Thank you for visiting SonicWall Community.
Please create a NAT policy as mentioned below and check if it does the trick. This NAT policy is Source Translation NAT policy.
- Source: L2TP IP Pool
- Translated Source: X0 IP (select the address object of the SonicWall's LAN IP that is pingable from the L2TP client)
- Destination: Select the address object/group of the local resources that should be accessible from the L2TP client
- Translated Destination: Original
- Service: Any
- Translated Service: Original
- Inbound Interface: Any
- Outbound Interface: Any
Please create this NAT policy, disconnect the L2TP VPN, connect it back and try the VPN access. Keep me notified on this please.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
0
Answers
Hi @FEARLESS_FREDDY,
Thank you for visiting SonicWall Community.
I can give couple of suggestions and ask you to check.
Let me know how it goes and we can drive it further.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Windows Firewall was disabled and there is no AV on this host. Other non-Windows devices like printers and switches were tested, again with no response.
Pings from the SonicWall to the various hosts work fine.
MAC addresses look fine.
The only ping that works is to the SonicWall's LAN IP....
What blows my mind is that I checked another site but with a TZ350, same 192.168.1.1/24 LAN subnet, same firmware, not PPPoE though, worked fine without the source NAT......
Hi @FEARLESS_FREDDY,
Source translation NAT is a trick that is played in order to seek response from the end machine. This is not only applicable for VPN access but may be for any scenario where there is no response from the end machine but the end machine is reachable from the SonicWall appliance.
Glad that I was able to help you! Have a good one!!!
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services