Arkwright Community Legend ✭✭✭✭✭
Reactions
Comments
-
"policy" can mean access policy, NAT policy, route policy. You said you've done the access policy, and that the server is on a connected interface subnet, so it's not a route policy, which leaves a NAT policy. Have you created a NAT policy? [I am assuming that NAT is required, it may not be]. What is odd is that "policy…
-
Is this HTTPS or HTTP? If you're attempting HTTPS, then try doing it with HTTP first.
-
I've never done it but I suppose it possible to have static assignments from the Sonicwall DHCP server on one of the subnets, and a standard range on the other. As long as you have the laptop MAC addresses you can setup a static assignment (a.k.a DHCP Reservation). That sounds like the answer here - this specific set of…
-
Yes the KB article is correct. If you can get your RADIUS backend to do MFA, then you can have GVC + MFA.
-
Using un-numbered tunnels on SonicOS is easy, you simply skip the step where you create a numbered tunnel :D Create tunnel-mode VPN policy, assign to SD-WAN group. Done. The documentation originally said you had to use numbered tunnels, but then this changed:…
-
If you really do have two DHCP servers in the same network, correctly serving different IPs to different sets of clients, then I don't know how it's done. Hopefully someone else will chip in.
-
If you can afford a TZ370 then you can afford a firewall that supports VLANs, because the TZ370 supports VLANs. If you've got two networks on the same interface then you can't have DHCP on both because the firewall won't ever know which scope it should be serving the request from, will it? So you can only have static…
-
I am using un-numbered tunnels, so there is no netmask. I cannot see why the netmask would make any difference, unless it overlaps with one of the networks you are trying to communicate with. But then nothing would work, right?
-
This is SDWAN with un-numbered VPN tunnels as members. Helper is on remote site firewalls. DHCP Helper is not on main office firewall.
-
Just for you, I checked the firewall again. No, this is not enabled, so this isn't required. I do remember having to disable/enable the IP Helper service in the past when it didn't work as expected but I think this was a gen6 thing, that was probably fixed by now.
-
Are you getting 0 hits on your rules because they don't match the packets that are arriving? Or are you getting 0 hits because the packets aren't arriving at all? Packet capture, as always, will reveal the truth!
-
But at gateway is an autogenerated IPv6 (starting with "fe80"), expected was the X3 IPv6 address. That's normal. That's the link-local IP of the Sonicwall's interface in that network. Are there any hits on your -> WAN access rules from this zone?
-
Yes, this can work. We have it set up with gen6 and gen7 at remote sites and gen6 at central site. I looked over the configuration and don't see anything obviously "special" that we've done to get this working. I suggest you do a packet capture on the firewalls and see if you can work out how far the responses from the…
-
You used to be able to get Sonicwall to step in and help with this if the account owner was unresponsive, but they won't do that any more.
-
Why "apply NAT policies"? That seems like an obvious candidate for access working in one direction but not the other. Even if site B has a dynamic IP you could still enable management on the WAN interface [restricted to site A's public IP] so you can manage the firewall.