Best way to route traffic.over sonicwall VPN for VLAN
Talleyrand
Newbie ✭
if we have vlan traffic at a site , what is the best way to route it to another site but keep it completely separate from all other traffic. (sonicwall 2700)
currently there is a single VPN for multi block address ranges, bu they are all user traffic , not management traffic.
obviously you don't want to vlan over a VPN, but you also don't want the traffic being mixed on the core switch or any leaks of traffic.
Ideally
VLAN 100->network range l3 ->vpn site 1---> vpn site 2---- network range L3->VLAN 100 tagged on arrival.
Clearly it also needs to be natted so it can be routed. to the remote
Category: Mid Range Firewalls
0
Answers
If you want to get complicated then you need route-based VPN policies.
What does:
traffic being mixed on the core switch
really mean?
If you don't want traffic from different networks on the same infrastructure, then you need separate infrastructure for it. But that means buying more hardware and maintaining more stuff. Most people are happy to use VLANs, access control lists and different networks to keep things separate. If you need to be more paranoid then you need to spend more money.
What it means , is that if i have a network vlan for switch /AP maintenance on a remote network, i have to strip the vlan from it before putting it over the vpn
which means it is on vlan 1 by default/untagged
I then have to "nat" it, since we cannot have the same network at both ends, so after natting it I have to ensure it does not leak into the core switch, then re apply A vlan to it so that It can be tied into the support infrastructure.
I don't think i can bring traffic over the VPN & VLAN it at the port (unless i have a secondary vpn line) which i don't have.
And i have not seen the ability to birng multiple separate VPN streams into the same port with different key , without serious problems.
SonicOS doesn't do any type of L2 VPN, so VLAN tags on VPN tunnels are not relevant. All that matters is the source/destination IP address. If the destination network is on a VLAN subinterface, then it will be tagged on egress.
NATing across a VPN tunnel is possible.
Clearly it also needs to be natted so it can be routed. to the remote
Sorry, that was not clear at all :D
nope , it's crystal clear.....
VLAN's work under IP, it would be a nonsense to try and put the car wheels in the car then drive it.
you would need some sort of IP signalling mechanism. to sit in the IP & re-construct the L2 flag . at the other end.
And since you need to distinguish between networks, to route them NAT is a requirement,
Which i had done just trying to explain to some guys on a WIFI site as to why they could not get contact from a hotel on 192.168.x over a vpn to their company on 192.168.x
Just wanted to ensure, i had not missed anything I did not know.