SonicWall VLANs


Setting the VLAN of a given interface on a SonicWall is a bit different than other firewalls. In this article, I will explain how to do so, specifically on the WAN interface.


We have a Cisco 2960 as the core switch at our office, with a /27 subnet. The SonicWall is in one of the offices that only has one drop, so to split it between my computer, and the SonicWall for a VoIP lab I'm setting up, I used a dumb switch to split the drop, and set that port on the 2960 to mode trunk. I also set the native vlan to 7, our office vlan, so my computer is on the appropriate vlan. The SonicWall however, since I want it to have a public IP on its WAN interface, needs to be on vlan 200.


You'll notice that on a SonicWall, there is no vlan settings under Network->Interfaces->WAN.

  1. Add a new virtual interface under "Add Interface:"
  2. Select a zone (in my case, WAN)
  3. Set everything from the VLAN, to the Static IP information
    *By the way, you can leave the default WAN (usually X1) with the default settings (i.e., etc.)
    *This should also create a dynamic NAT (many-to-one) NAT Policies (for LAN devices to access the internet)
  4. Go to Network->Routing
  5. Add a new Route Policy and set the following
    1. Source: Any
    2. Destination: Any
    3. Service: Any
    4. Gateway: X1:V200 Default Gateway (due to my virtual interface being off of X1/WAN and on vlan 200)
    5. Interface: X1:V200 (the name of my virtual interface)
    6. Metric: 200
      *This is to make it a lower metric (higher priority) so that devices on the LAN going to the internet use the virtual interface now, instead of the default: X1
  6. As mentioned, a NAT Policy should already exist for the virtual interface under Network->NAT Policies, but if not, make one, simply mimic the default X1 that looks like this:
    *top one is the X1 default, the bottom is my virtual interface's one (but again, this was already created automatically)

    Source Original Source Translated Dest. Orig. Dest. Trans. Serv. Orig. Serv. Trans. Int. Inb. Int. Out
    All Interface IP WAN Primary IP Any Original Any Original Any X1
    Any X1:V200 IP Any Original Any Original X0 X1:V200
  7. Under Firewall->Access Rules, Select Matric for the View Style, then select FROM LAN TO WAN
  8. Add a new Access Rule exactly like the existing default one for WAN, but replace "To: WAN" with "To: X1:V200" on the new Access Rule

You should now be able to access the internet via the virtual interface you created, which was required to tag it with the desired VLAN of 200.

Was this answer helpful?

 Print this Article