NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
SRX5308: How config multiple static IPno's?
We're upgrading our firewall from Cisco RV042 to Netgears SRX5308, and we need to do setup the LAN4/DMZ port to handle a RANGE of static IP numbers. xxx.xxx.xxx.10 -> xxx.xxx.xxx.20 We just want...
I think I can partially answer the OP's question, but only partially :)
I need someone like jmizoguchi to come back and clarify my info, and I also have some related questions to this issue.
Let's say we have 5 WAN static IPs from an ISP (These are just example IPs):
The ISP issued gateway/modem has a WAN static IP of:
All six IPs have the following subnet mask per ISP:
The ISP issued gateway/modem has 4 LAN ports. The SRX5308 has 4 WAN ports.
QUESTION:
Is it a good idea or bad idea to connect the gateway's 4 LAN ports to the SRX5308's 4 WAN ports?
Let's say that we went ahead and connected the gateway's 4 LAN ports to the SRX5308's 4 WAN ports.
Someone please come back and tell me if this is incorrect. (One reason that I can think of why this MAY be wrong is possibly because the SRX5308 is designed to have 4 different ISP service connections, not 1 ISP connection using all 4 WAN ports - again, I'm not sure about this...
In the SRX5308 WAN settings, we make the following IP assignments:
***This still leaves us with one IP unassigned (173.115.225.205) but we'll come back to that at the end.
The initial SRX5308 WAN settings are now all set up (or at least 4/5).
We need to setup the LAN settings now. Let's say our LAN environment consists of 5 major types of devices:
We create the following VLAN Profiles in the SRX5308 LAN Settings (not changing the default profile):
As you can see, we didn't assign a default VLAN port to the WiFi profile.
->The reason is because I don't know how... I need help with this part! :) <-
Let's say the SRX5308's four VLAN ports each connect to an unmanaged switch, such as the NetGear GS116 (16 ports). To clarify, we have four separate unmanaged switches, each one connected to its own VLAN port on the SRX5308.
At this stage, the basic/initial WAN and LAN settings are configured.
This next stage is where I partially answer the OP's question.
Setting up a lan machine to send AND receive traffic on a WAN static IP (via the SRX5308) is done through two separate steps, Part 1 Sending and Part 2 Receiving.
SENDING
On the SRX5308 gui go to ->Network Configuration ->Protocol Binding.
On this page you can set outbound traffic by service/port, source, and destination to any of the FOUR WAN IPs configured on the SRX5308.
For example, if we want ALL of our SIP (part of VoIP) traffic to go out on WAN2, regardless of source or destination:
Select Add ->Change Service from ANY to SIP:UDP ->Change Local Gateway to WAN2 ->Do not change Source Network from ANY->Do not change Destination Network from ANY ->Select Apply.
We now have all of our LAN SIP traffic hitting the outside WAN world with the IP address of WAN2 = 173.115.225.202. Okay, I know that was an easy one. Let's try something more challenging, such as setting HTTPS traffic from VLAN profile PCs to a designated hosting vendor, such as Google Apps for Business, to go out over WAN4:
Select Add ->Change Service from ANY to HTTPS ->Change Local Gateway to WAN4 ->Change Source Network from ANY to PCs->Change Destination Network from ANY to (EITHER) a pre-designated Service Group OR select Address Range and then enter the address range that Google set your domain up with, which you can obtain via your domain registrar's dns manager site ->Select Apply.
I told you that it would be more challenging :)
BTW, to set up a pre-designated Service Group, available with firmware 3.0.8-12 and later, go to ->Security ->Services ->Service Group.
Google Apps designate multiple IP addresses in the dns A records when you sign up with them. They MAY BE dynamically assigned, but I have a few domains with Google Apps, and they all have their dns A records showing the same IP addresses for almost three years (checked today).
Okay, so we covered SENDING. Now on to RECEIVING:
Go to ->Security ->LAN WAN Rules, and review the Inbound Services section. Click Add to add a new rule.
This is where we can set inbound traffic that is directed to a specific WAN (or all WANs) to our choice of LAN machine (or machines).
On the Add LAN WAN Inbound Service page, we can control traffic by Service/Port, Action to take such as Block Always or Allow Always, Send to LAN Server, by WAN Destination IP Address, and by WAN Users (source ip). We can also assign a QoS Profile, Bandwidth Profile, and whether or not to log the action.
That's the basics to setting the ip address for sending and receiving, at least for FOUR WANs and FOUR VLANs.
I still haven't figured out how to use a fifth static ip on the WAN side, or how to connect more than FOUR VLANs at a time. Can someone please follow up with an answer these two issues for me???
How this helps!
Ethan
I need someone like jmizoguchi to come back and clarify my info, and I also have some related questions to this issue.
Let's say we have 5 WAN static IPs from an ISP (These are just example IPs):
173.115.225.201
173.115.225.202
173.115.225.203
173.115.225.204
173.115.225.205
The ISP issued gateway/modem has a WAN static IP of:
173.115.225.206
All six IPs have the following subnet mask per ISP:
255.255.255.248
The ISP issued gateway/modem has 4 LAN ports. The SRX5308 has 4 WAN ports.
QUESTION:
Is it a good idea or bad idea to connect the gateway's 4 LAN ports to the SRX5308's 4 WAN ports?
Let's say that we went ahead and connected the gateway's 4 LAN ports to the SRX5308's 4 WAN ports.
Someone please come back and tell me if this is incorrect. (One reason that I can think of why this MAY be wrong is possibly because the SRX5308 is designed to have 4 different ISP service connections, not 1 ISP connection using all 4 WAN ports - again, I'm not sure about this...
In the SRX5308 WAN settings, we make the following IP assignments:
WAN1 = 173.115.225.201
WAN2 = 173.115.225.202
WAN3 = 173.115.225.203
WAN4 = 173.115.225.204
***This still leaves us with one IP unassigned (173.115.225.205) but we'll come back to that at the end.
The initial SRX5308 WAN settings are now all set up (or at least 4/5).
We need to setup the LAN settings now. Let's say our LAN environment consists of 5 major types of devices:
1) Personal Computers
2) Linux VoIP Servers
3) Windows Servers (running core network services such as AD CA, AD DS, DNS, WINS, etc...)
4) Web servers (mix of linux and windows)
5) WiFi devices (connected via separate WiFi router, operating only as an Access Point.
We create the following VLAN Profiles in the SRX5308 LAN Settings (not changing the default profile):
Profile Name----VLAN ID---Subnet IP-----DHCP Status--Assigned VLAN Port
PCs--------------11----------10.1.11.100-----Enabled-----Port1
VoIP-------------22----------10.2.22.100-----Enabled-----Port2
WINSERVERS--33----------10.3.33.100-----Enabled-----Port3
WEBSERVERS--44----------10.4.44.100-----Enabled-----Port4
WiFi-------------55----------10.5.55.100-----Enabled-----Port???
As you can see, we didn't assign a default VLAN port to the WiFi profile.
->The reason is because I don't know how... I need help with this part! :) <-
Let's say the SRX5308's four VLAN ports each connect to an unmanaged switch, such as the NetGear GS116 (16 ports). To clarify, we have four separate unmanaged switches, each one connected to its own VLAN port on the SRX5308.
At this stage, the basic/initial WAN and LAN settings are configured.
This next stage is where I partially answer the OP's question.
Setting up a lan machine to send AND receive traffic on a WAN static IP (via the SRX5308) is done through two separate steps, Part 1 Sending and Part 2 Receiving.
SENDING
On the SRX5308 gui go to ->Network Configuration ->Protocol Binding.
On this page you can set outbound traffic by service/port, source, and destination to any of the FOUR WAN IPs configured on the SRX5308.
For example, if we want ALL of our SIP (part of VoIP) traffic to go out on WAN2, regardless of source or destination:
Select Add ->Change Service from ANY to SIP:UDP ->Change Local Gateway to WAN2 ->Do not change Source Network from ANY->Do not change Destination Network from ANY ->Select Apply.
We now have all of our LAN SIP traffic hitting the outside WAN world with the IP address of WAN2 = 173.115.225.202. Okay, I know that was an easy one. Let's try something more challenging, such as setting HTTPS traffic from VLAN profile PCs to a designated hosting vendor, such as Google Apps for Business, to go out over WAN4:
Select Add ->Change Service from ANY to HTTPS ->Change Local Gateway to WAN4 ->Change Source Network from ANY to PCs->Change Destination Network from ANY to (EITHER) a pre-designated Service Group OR select Address Range and then enter the address range that Google set your domain up with, which you can obtain via your domain registrar's dns manager site ->Select Apply.
I told you that it would be more challenging :)
BTW, to set up a pre-designated Service Group, available with firmware 3.0.8-12 and later, go to ->Security ->Services ->Service Group.
Google Apps designate multiple IP addresses in the dns A records when you sign up with them. They MAY BE dynamically assigned, but I have a few domains with Google Apps, and they all have their dns A records showing the same IP addresses for almost three years (checked today).
Okay, so we covered SENDING. Now on to RECEIVING:
Go to ->Security ->LAN WAN Rules, and review the Inbound Services section. Click Add to add a new rule.
This is where we can set inbound traffic that is directed to a specific WAN (or all WANs) to our choice of LAN machine (or machines).
On the Add LAN WAN Inbound Service page, we can control traffic by Service/Port, Action to take such as Block Always or Allow Always, Send to LAN Server, by WAN Destination IP Address, and by WAN Users (source ip). We can also assign a QoS Profile, Bandwidth Profile, and whether or not to log the action.
That's the basics to setting the ip address for sending and receiving, at least for FOUR WANs and FOUR VLANs.
I still haven't figured out how to use a fifth static ip on the WAN side, or how to connect more than FOUR VLANs at a time. Can someone please follow up with an answer these two issues for me???
How this helps!
Ethan
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
