How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site. Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask Quiksilver07070 Your Own Question
Quiksilver07070, PC Technician
Category: Networking
Satisfied Customers: 793
Experience:  All types of network devices, routers/switches/bridges/wifi/NIC's/Modems
Type Your Networking Question Here...
Quiksilver07070 is online now

I need an expert with practical experience of a Dell

Customer Question

I need an expert with practical experience of a Dell Sonicwall NSA2400 with SonicOS Enhanced or Similar firmware.
Two related issues
1. I have another office who use a sonicwall (same type) in their office to link to our Sonicwall with a point to point VPN policy. (VPN-settings-VPN Policies)
2. I have other individual users in remote locations with individual VPN "local users" who connect. (users-Local users)
Currently both of the above come through the same ethernet cable as the general internet which connects to our "servers" switch.
I need to move the 1&2 to a "client" switch. In other words attach another network cable to port X3, X4 or X5 and connect that to a client switch.
I need help setting up/modifying the settings to do this.
This may take some time and I will probably have to leave the chat occasionally.
Submitted: 1 year ago.
Category: Networking
Expert:  Quiksilver07070 replied 1 year ago.

Hello DM, and thank you for choosing


About your network.....can you provide a simple Network Map?

Showing ALL the network devices....the ports they use, IP address's, VLAN's, server designations (network related such as DHCP), etc etc

Do your best to show the PHYSICAL Layout as well. But its okay if you can only do a logical drawing.


I await your reply

Customer: replied 1 year ago.
Hi, Before I do (this question is going to use a fair bit of your and my time) do you have experience with the NSA2400?
Expert:  Quiksilver07070 replied 1 year ago.

Sure fact i used to SELL them. Along with Cisco ASA's, and Meraki MX series.

In order to BE ABLE to sell had to go through their training courses and become Technician Assistant, along with the SALES side of it. Specs, and sizing, and cost, and future proofing, and so on and so on.


Adding a Switch to a Network isnt too difficult, ofcourse it matters a bit on the complexity of the network, and where in the network the switch is going in....but overall, a switch is one of the those network devices, that are Set it....and Forget it.

Customer: replied 1 year ago.
Great. Layout enclosed showing proposed VPN connections.
Expert:  Quiksilver07070 replied 1 year ago. the new client switch should be connected to the SonicWall Directly, instead of passing through the Server Switch.

Can that be changed?

Daisy chaining creates an additional POF (point Of Failure). But, if you are unable to change it....we can work with it.


So your SSLVPN clients are terminating on the LAN side....correct?

Customer: replied 1 year ago.
Just to be clear I only want the VPN connections to move to X3, X4 or X5. (the general internet still needs to stay in place from firewall to server switch). The client to server connection must stay in place.
The SSLVPN clients terminate on the Lan side.
Expert:  Quiksilver07070 replied 1 year ago.

Okay.....You can leave the connection between Server Switch and Client Switch.....but I urge you to put a connection between Client Switch, and NSA.....Unless I am seeing this already in the diagram in the box labeled Proposed Remote Users (VLAN ID:1)

Is this an actual Networking device? Or are you just showing the location of SSLVPN termination?

Customer: replied 1 year ago.
Proposed Remote Users (Vlan ID:1) is the ethernet cable I need to put in. Connecting the cable is easy, it's the settings on the firewall I need help with to make sure only the VPN connections go over it.
So an external VPN user goes from the internet to the firewall, from the firewall to the client switch and from the client switch to the server switch to connect to a server. (Technically it doesn't make sense to do it this way but trust me, there is a good reason for this)
Expert:  Quiksilver07070 replied 1 year ago.


So you just need to decide which port your using to connect on the NSA to the new client switch.

From there....remote VPN user traffic is tagged, and sent out that port.

Easier said than done i suppose...EH!

Theres a fwe different ways to do sure....doing the simplest and most efficient is the goal.


You could create a new Vlan, and tag the VPN traffic as it comes in, to that Vlan which is assigned the port which connects to the client switch.

Expert:  Quiksilver07070 replied 1 year ago.

Are you doing ANY segregation of the network traffic? You mentioned VLAN ID1.....but that is the default VLAN which every node uses.

If you want to control the Remote User traffic, then you should probably place it on a different VLAN. This makes it a WHOLE lot easier to control when they are on their own VLAN.


The exact routes that you want the client to be able to use when they connect to the NetExtender VPN gives you complete control over which machines they can connect directly to. routes for SSLVPN users can be individually controlled, or group controlled, and this is assigned in the Users>LocalUsers>Add User or Edit User>VPNSettings Tab.


Expert:  Quiksilver07070 replied 1 year ago.

No Firewall changes needed.

Place remote Users on different VLAN...try to group your remote users together BY the network resources they need, which will help keep the setup simple.


But about your Server switch......will it be connected to BOTH the NSA, and the client Switch simultaneously? Or are you disconnecting the link between server switch and NSA once you have the client switch in place?

Customer: replied 1 year ago.
Cant edit Vlans, need a different method.
Server switch is and will remain connected to both the nsa and the client switch simultaneously.
Expert:  Quiksilver07070 replied 1 year ago.

Cant edit VLAN's?? What the heck? What gives on that?

Thats how i would do it, with VLAN's.

But its your know it better than me.

The alternative, is to use a subnet.....which would require a router to be the middle man (you only have 1 the NSA) between the server switch and client switch creating MORE traffic for the NSA to process.

Just create a NEW DHCP Pool for the remote users, on a diff subnet, then you can route that subnet as you wish.

Customer: replied 1 year ago.
Is there no way of just editing the firewall to send the VPN traffic over the X5 interface to the VLAN ID:1 on the client switch?
Expert:  Quiksilver07070 replied 1 year ago.

Okay.....sorry for the delay.

The firewall isnt used to for that purpose.

If you must keep the network FLAT, then you should use the NETWORK ACCESS RULES.

You can Allow or Deny by IP address, or User, or Network Service.

Customer: replied 1 year ago.
Expert:  Quiksilver07070 replied 1 year ago.

Heres the link to the instructions

The path is: Access>Rules>Add New Rule

Customer: replied 1 year ago.
Have you got a web page for the firmware I'm using as that's different?
Expert:  Quiksilver07070 replied 1 year ago.

Okay i finally found it.

You need to use the SSL VPN Client Routes to restrict access to the SSL VPN remote users.

The link shows the topic in FULL detail. and is for the version 5.8

Let me know what you think.

Customer: replied 1 year ago.
we are not using SSLVPN. We are using the "VPN" and the "Users-Local Users" tabs on the left hand side.
Expert:  Quiksilver07070 replied 1 year ago.

Ok, Then...Remote users must be explicitly granted access to network resources on the Users > Local Users or Users > Local Groups pages. When configuring local users or local groups, the VPN Access tab affects the ability of remote clients using GVC connecting to GroupVPN; it also affects remote users using NetExtender, and SSL VPN Virtual Office bookmarks to access network resources. This is new behavior in SonicOS 5.6 and above. To allow GVC, NetExtender, or Virtual Office users to access a network resource, the network address objects or groups must be added to the “allow” list on the VPN Access tab

Expert:  Quiksilver07070 replied 1 year ago.

Editing the LOCAL USERS (You can edit local users from the Users > Local Users screen. ) that are assigned to your IPSec VPN Users, under the VPN Access Tab (The VPN access tab affects the ability of remote clients using GVC, NetExtender, and Virtual Office bookmarks to access network resources.),you can select the INTERFACE you want to allow the VPN users to use.

Thats the simplest I can make it.

Expert:  Quiksilver07070 replied 1 year ago.

See image for VPNA Access showing the interface as selection

Expert:  Quiksilver07070 replied 1 year ago.

Please kindly take a moment to reflect my effort put forth and performance, and RATE me by selecting the STARS (or SMILE FACES), so I can be compensated.

Thank you, ***** ***** a Great Night!