Sonicwall Global VPN user either can't reach internet, or LAN depending on Access List

Question

I have a Sonicwall running firmware 6.5.4.4-44n and have a standard VPN (not SSL-VPN) setup which I'm connecting to via the Global VPN Client for Windows. The WAN Group VPN is setup to be a "Split Tunnel" and I have both "Set Default Gateway as this Gateway" and "Apply VPN Control List" NOT checked (checking either doesn't seem to make a difference in the behavior)

What I would like to accomplish is users connected to the VPN can access the "X0 Subnet" (which is an Object defined as 10.0.0.0/255.255.255.0) through the VPN and the rest of the internet via their own external connection (NOT route internet traffic through the VPN).

That I've found is my users can either:

1. Access the internet, but not the LAN if I set the user "VPN Access" to be "X0 Subnet" and nothing else
2. Access the LAN, but not the internet if I set the user "VPN Access" to "WAN RemoteAccess Networks" (which is defined as 0.0.0.0/0.0.0.0

Perhaps I'm missing what "VPN Access" means, but this seems like the opposite behavior as what I would expect. (Giving "X0 Subnet" access results in the user not being able to access the "X0 Subnet"). I've been trying different configurations and following various internet posts for the past 2 days without making any progress. Does anyone have an idea of what is going on here?

With "LAN Networks" in the access list, here is my client route map. My (non VPN client network is 10.0.2.0/24. The remote network I'm trying to access is 10.0.0.0/24, which is in the "LAN Subnets" list)

route print
===========================================================================
Interface List
  7...00 60 73 0e 22 ad ......SonicWALL Virtual NIC
  5...08 00 27 be f3 85 ......Intel(R) PRO/1000 MT Desktop Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.2.2        10.0.2.15     25
         10.0.0.0    255.255.255.0         On-link        10.0.0.213    257
       10.0.0.213  255.255.255.255         On-link        10.0.0.213    257
       10.0.0.255  255.255.255.255         On-link        10.0.0.213    257
         10.0.2.0    255.255.255.0         On-link         10.0.2.15    281
        10.0.2.15  255.255.255.255         On-link         10.0.2.15    281
       10.0.2.255  255.255.255.255         On-link         10.0.2.15    281
    33.33.171.50  255.255.255.255         10.0.2.2        10.0.2.15     25
    33.33.171.50  255.255.255.255         On-link        10.0.0.213      2
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         10.0.2.15    281
        224.0.0.0        240.0.0.0         On-link        10.0.0.213    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link         10.0.2.15    281
  255.255.255.255  255.255.255.255         On-link        10.0.0.213    257
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
  5    281 fe80::/64                On-link
  7    281 fe80::/64                On-link
  7    281 fe80::6520:9f25:dd7:33ee/128
                                    On-link
  5    281 fe80::bd8b:6045:f79a:1ff9/128
                                    On-link
  1    331 ff00::/8                 On-link
  5    281 ff00::/8                 On-link
  7    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Thanks in advance

Answer 1

In my situation I am using SSL VPN in Full Tunnel (Tunnel All) mode, and it turns out, which I confirmed by contacting sonicwall, that the metric of my split tunnel GVPN client was set to 2, and you really cannot operate GVPN split with SSL full... so I just put GVPN to Full Tunnel mode and problem solved. We also tested it with a local user account that was not part of the LDAP / SSLVPN group, but it was the same situation. I plan to report it to SonicWALL's community as a feature request.

Answer 2

When you use a Split Tunnel, you need to define which routes are going through the VPN. So when adding the "WAN RemoteAccess Networks", you are kind of mocking to the VPN to become a full tunnel. I guess there is a route missing in the client when you only have "X0 Subnet". Try to connect to the VPN and check the routes created (route print) from the command line. As an alternative, you can try to add "LAN Subnets" instead of "X0 Subnet". For troubleshooting, review your Access Rules and Routing Table. Packet Monitor is also a nice tool to see the network packages.

https://www.sonicwall.com/support/technical-documentation/sonicos-6-5-investigate.pdf

Enjoy :)

Answer 3

You did the right thing by using the allow X0 Subnet in the Access List for the VPN's config, but Sonicwall force you to make a Firewall Rule too to allow only the service you want to allow. It'S under the Firewall's section, and select VPN > X0 Interface name.

Like below it's a wide open rule, but you could restrict only the service you want. I assume your X0 is your LAN, but it's to give an example.