NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Bridge 2 Networks with SRX5308 Help
Hello, Here is what I am trying to accomplish.
Building A - 192.168.0.x
Building B - 192.168.1.x
I have a ubiquiti wifi antenna that is connecting both buildings for the SOLE purpose of building B, accessing building A's NAS Drive, 192.168.0.10
I have been told a bunch of how to scenarios, but i cant get it working right as in segmenting each network separate so both DHCP servers do not conflict. I want both networks to remain independant, only a handful of PC's at building B to access the Nas Drive at building A.
(A VPN was not able to accomplish this fast enough, even with Gigabit Internet, SMD doesn't like VPN's).
So i was told on the srx5308 to plug one of the antenna's into one of the Quad WAN Ports, lets say Wan2.. Give it a /29 IP Address. Then do the same on the other building (which has a non-netgear firewall).. but for now lets concentrate on the setup in building B with the Srx5308.
This is what i was told:
- On the SRX5308 plug the bridge into one of the spare WAN ports and assign a small subnet (e.g. 172.16.10.1/29). Page 127 of the manual tells you how to setup static routes.
Problem is, the srx5308 won't let me do this unless i put in a gateway and dns servers on the Wan2 port as far as i can tell. Also do i turn on DHCP on that /29 range or leave it solo and static the IPs in it..
Fwiw, i had this working buy just plugging everything in and using IP ALias's on the windows machines, but the dhcp servers on both ends could obviously not coexist.. I need to keep the network separate but have this one tunnel to get to that nas drive thru the antenna connection (the buildings are approx 900 ft away, the antennas work very very well).
Appreciate any assistance.
I got it working. Thanks to c3po2 for the guided assistance.. In a nutshell here is what i did. My brain was cramping for days with this.
The First Key, was properly setting up the VLAN's on Both Firewalls. In the SRX5308, I created VLAN20 with the IP 172.16.10.1/29 located in Building A. Building B TPLink ER605 I created VLAN20 with the IP 172.16.10.2/29. The SRX5308 VLAN, has Inter-Vlan Routing box enabled. *Note - The Ubiquiti Nano 5ac Antenna is plugged into LAN 3 on the SRX5308.. NOT the Wan port. Shown below are the settings for the VLAN (called CBBridge). As you can see also, i only have Port 3 checked off, where the Antenna is plugged into.
Next the Routing on the SRX5308 shown Below. The cavieat that i didn't figure out til i tried it, was the Gateway. I kept thinking the 172.16.10.1 IP of the Vlan on the SEX5308 was the one to use, i was incorrect. I had to use the 172.16.10.2 gateway, which is the IP of the VLAN on the TP Router in Building 2. Before i figured that out, i was able to ping things using the internal diagnostics of both firewalls, but unable to get the Lan to ping (which the routes fixed).. Here is that config.
This is the routing i setup, which is a single static route for the people at building A to get to building B's Nas drive.
On Building B's side, this is the setup. (TPLink ER605)
This is the static route i created on the TP Link so the Building A network can communicate to the Building B LAN thru what i called "UbiquitiBridge" VLAN.
As you can see, its routing all the 192.168.1.1 traffic thru 172.16.10.1 which is the gateway of the VLAN on the SRX5308 in Building A.
Now, all the machines that have mapped drives to the NAS Share at Building B are operating at full gigabit speed, and I am extremely happy.
Thanks to everyone for the help, and guidance. I hope this can help others who need to do the same thing.
*Note - while i haven't yet gone on site to make sure both DHCP servers are not in any way messing with anything, i created a ALWAYS BLOCK rule on the SRX5308 to Block UDP port 67 from the IP range of the VLAN.*
24 Replies
Sorry trying to remember all of this at once while i work on it.
Both sites have 48 port switches (dumb) and the Ubuquiti antennas are POE Injected directly into the firewalls, they are not on the network switches.
Building A - SRX5308 Firewall 192.168.1.x DHCP
Building B - TP link ER605 Firewall 192.168.0.x DHCP
Building B has NAS Drive at 192.168.0.10
Building A has that mapped as shared drive (That was working when i put the antennas in, but as i said, 2 DHCP Servers on a married layer 2 would go bananas, and i had to break it down before catastrophe).
OK here is the topology.
Building A and Building B Both have their own internet. Verizon Fiber. They are 2 seperate businesses, but owned by one umbrella company.
I want to keep them Both completely seperate, excelt a few handul of PC's (7 or so) that needs direct access to the Nas Drive in building A. No other communication between them both.
The ubiquity antennas i am using are these:
https://www.amazon.com/Wireless-NBE-5AC-GEN2-PRE-CONFIGURED-Ubiquiti-Configured/dp/B0CZ3MKJ1K/ref=sr_1_1?crid=3HQI22QR4PGHE&dib=eyJ2IjoiMSJ9.k00f-7_Ltx2yeSlaSJmdetYt0PcarNwd9XRipnvtwvueoyTLdbgV0dClKMn0VXPFKjAqELcS0no-UGm13Iqq8igp_yesflwe8VMw7zhzKk-q2rsANgiLcqNmWDv7knqfiFP0xHuzfsnI7z0QD8eI71Sr-PzjKL_7pS2z3Pyr7q9bt-iV1BJod5OhOgqMNRSjEUnBYUJ52J8Jx-EuGuH_bGGPT1QbkaPuGRNn0CTl5K8.xQgSw2AjfH7Wlx-3MMFRPDAkMRaquHVU-SdXacw0wfM&dib_tag=se&keywords=ubiquiti+pre+configured&qid=1754602732&sprefix=ubuquiti+pre+configured%2Caps%2C84&sr=8-1
The Nas Drive is a Buffalo Nas Drive, it has to stay on a single IP because of excel spreadsheets that both sides have to use that have hard coded IP's in them for various connected files (I S* u not..) thats the root of all of this.
Thanks, it all makes sense now. Would you please also let us know build B router model?
As you already found, you can't bridge two subnets with its own DHCP servers together.
What you try to achieve seems to be:
- Build A and B are separated except build B is allowed to access NAS at build A
- Build B needs to access NAS directly, not through Verizon Fiber: It is too slow - Because simple port forward is not allowed, must use VPN at least, and SRX VPN throughput is too low.
The Building B Firewall is a TP-Link ER605.
#1 is correct.
#2 - Building A (Netgear SRX5308) needs to access Building B (TP-Link ER605) NAS Drive. I have a VPN setup but even with gigabit fiber at both locations (which are < 1000ft away) It is way too slow.. the VPN Overhead kills the speed of their data, so they need Local Access (Also just to throw it in there, A's Sage software goes bonkers when connected to a VPN).. This is why I came up with the idea of using the Ubiquiti Antennas to "Bridge" the networks in some way shape or form, and supposedly its simple, but i cant get things to communicate anymore. I'm almost back to square 1.
Could you please describe your network topology?
Looks like your build A and B are isolated network without Internet access?
You are trying to keep Building A and B separately but wants both buildings have access to NAS at building A?
You are using "Ubiquiti antennas" as bridge, could you please let us know the model?
Possible solution will depend on how you want to setup your building A and B network.
The simplest solution would be let NAS to get one IP as 1921.68.0.10 for building A and another IP, e.g. 192.168.1.10 for building B through "Ubiquiti antennas" from router B: If NAS has two network interfaces.
If build A and B routers are for internal use only and no need to access Internet, you can use "Ubiquiti antennas" to link WAN ports of two router together, and then create proper port forwarding rules to allow building A and B to access each other.
As you see, we can only offer suggestion if we know your network setup.
Let me break down the setup properly so there is understanding what im doing..
Right now (as of this moment)
Building B - (192.168.1.x) is fully functional in itself. I plugged a 200 ft cable (POE) into LAN port 3 that goes to the Ubiquity
Antenna and set its management port to 172.16.10.2 ...
-In the SRX5308 located at building B i have gone into the LAN Settings and made a VLAN called wifibridge with the settings below.
Now I am unsure if i should have all the ports checked off, or just the one the Antenna is in..
I have also made a static route to building A (192.168.0.x) shown below.
Im assuming the gateway is the IP i set on the SRX5308 for the Vlan? Or is it something different?
I can not ping 172.16.10.1 from any place i try..
In building A, i have setup similar on their TP Link ER605, and i am able to ping 172.16.10.2 which i set as their VLAN where their antenna is plugged into..
Also just want to throw this in there as info.. the Ubiquiti antennas are pre-configured (as i said they are working), they are connected with what looks like private IP's (169.254.116.x) and I am setting management IP's in the 172.16.10.x subnet.
Well right now as im trying to configurfe this /29 space, nothing is talking to ane another anymore. I had them talking originally when i plugged it all in but what it did was bridge the networks together and cause DHCP nightmare... So i had to break it down and start a new.
Right now on the SRX5308, i have one of the ubiquiti antennas plugged into a LAN Port. Lets start there.. Should it be in the LAN or WAN2? If WAN2, so i set the ip as a secondary address because it wont let me set a 172.16.12.0 IP without a gateway or DNS etc.. which i dunno what exactly to put in there.. Also I cant even Ping the 172 address at all... Im very confused.
Since you mentioned that you can establish VPN between building A and B, so the WAN ports of building A and B routers can see each other. Let us assume IP of build A SRX5308 WAN port is 10.1.1.a and 3rd party router at build B WAB port is 10.1.1.b. For site B to access site A NAS, you can create port forwarding on SRX5308, for example, if site B wants to mount NAS share as network drive, then simply port forward 445 to 192.168.0.10 on SRX5308, on site B, PC can then map 10.1.1.a as network drive. Similarly, if site B wants to access NAS through FTP, then create FTP port forwarding on SRX5308. Please create appropriate port forward to NAS based on how site B wants to access NAS. This would also work if build A and B routers have public IP.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
