VLAN over VPN Configuration
SonicBoom
Newbie ✭
I have clients that are beginning to ask for more advanced configurations of their firewalls. Currently, one is asking to allow VLAN traffic over an existing site to site VPN.
Going from a TZ 600 to TZ 500 site to site. The client wants both sides to see the same vlans. We isolate with vlans per device type. Phone. Cameras. Doors. Special function printers. Etc.
Is this possible? I have not read anything that suggests it is doable, but it seems logical.
Category: Entry Level Firewalls
Tagged:
0
Answers
Hoping that I understood you correctly, the VLAN subnet in question, should be part of the Local/Remote Network negotiation, if it is policy base VPN. If it is route based VPN, you have to adjust the routing policies.
For instance;
Site-A has X0 subnet 192.168.20.0/24 and X0:V40 192.168.40.0/24
Site-B has X0 subnet 192.168.10/24
Site-A VPN Config:
Local Network: X0 Subnet 192.168.20.0/24 + X0:V40 Subnet 192.168.40.0/24
Remote Network: X0 subnet 192.168.10/24 which is based on VPN Zone.
Site-B VPN Config:
Local Network: X0 subnet 192.168.10/24
Remote Network: X0 Subnet 192.168.20.0/24 + X0:V40 Subnet 192.168.40.0/24 which are based on VPN Zone.
If you want to carry the actual VLAN tagged frames, ie L2 traffic across a VPN, then no, you cannot bridge L2 networks over VPN with Sonicwall.
If you just want multiple networks to be able to reach each other across a VPN, then yes, that's straightforward enough, per MUSTAFAA's post.
@SonicBoom ,
You can add VLAN subnets in existing in site to site VPN.
@Arkwright has the best answer.
In this post, I've heard a definitive no and a definitive yes. The goal IS to tag vlan traffic to cross to physically different sites over VPN.
For example, I want to isolate camera IP, door IP, rfid reader IP, and printer IP traffic at site B and see it at site A. The VPN is in place.
In VPN policies, I have my gateway with a few destination ranges. At site B, same pointing back across with "sister" ranges. It seems like it should be doable, but I have not been able to ping the device across the vpn. I can ping on the local side to the device. The ARPs have the interface IP's from each respective side.
Is it doable or no? If yes, exactly how is the only way I'm going to crack this nut.
@SonicBoom I might repeat myself, but if you really like to spread a single Layer2 domain via VPN you need something like EoIP (Ethernet-over-IP) which SNWL can't do.
I did this in the past with the help of Mikrotik Routerboards.
This comes with some downsides and I would recommend to do this via Layer3 if possible, meaning not having the same subnet on both sides, VLAN tagging does not matter for L3.
--Michael@BWC