NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
T-Support
Oct 26, 2015Aspirant
SRX5308 Multi-homing working strangely
Hello,
I have an SRX5308 configured to be the gateway for our local network. DHCP is disabled on the Netgear firewall, and is taken care of by a Windows Server 2012 R2 domain controller instead.
Recently, we've run into an issue where we are running out of IP addresses. I decided to solve this problem by creating a Superscope on the local DHCP server.
Scope 1 (original): 10.1.50.x
Subnet: 255.255.255.0
Gateway (SRX5308): 10.1.50.254
Scope 2 (new scope): 10.1.60.x
Subnet: 255.255.255.0
Gateway (SRX5308): 10.1.60.254 (added as a secondary IP via LAN Multi-homing)
Scope 3 (remote scope in a remote location, connected via IPSec VPN): 10.1.51.x
Subnet: 255.255.255.0
Gateway (FVS336GV2): 10.1.51.254
If I am leased out an IP address on the original scope of 10.1.50.x, I have no issues. I can connect to the internet, and I can reach any server (including remote servers over the IPSec VPN).
If I am leased out an IP address on the new secondary scope of 10.1.60.x, I have random issues. Although I can connect to the internet, and I can reach SOME of the servers on the 10.1.50.x scope... I can't reach all of them. For example, I cannot reach 10.1.50.20 (an ESXi host), but I can reach 10.1.50.5 (the DHCP domain controller). I can ping both gateways (10.1.50.254 and 10.1.60.254), but I cannot ping or reach any of the servers in the remote location (10.1.51.x). One user reported to me that he could not connect to one of his client sites via VPN if he was on the 10.1.60.x scope.
What's going on here? There are no firewall rules on either side to only allow a specific scope to reach specific servers.
Hi T-Support,
Welcome to the community! :smileyhappy:
Would you kindly consider redesigning your existing network? If yes, then I would recommend using VLANs instead of Multi-homing. It is because enabling routing between VLANs is possible. Then, on the IPSec VPN setup, it will be necessary to add a VPN policy for the extra subnet as per this link.
Regards,
DaneA
NETGEAR Community Team
10 Replies
- DaneANETGEAR Employee Retired
Hi T-Support,
Welcome to the community! :smileyhappy:
Would you kindly consider redesigning your existing network? If yes, then I would recommend using VLANs instead of Multi-homing. It is because enabling routing between VLANs is possible. Then, on the IPSec VPN setup, it will be necessary to add a VPN policy for the extra subnet as per this link.
Regards,
DaneA
NETGEAR Community Team
- T-SupportAspirant
Hello Dane,
Thanks for your reply. What do you mean by "redesigning my exisiting network?"
Edit: if I were to redesign it by your suggestion, how would it be configured?
- T-SupportAspirant
Update: I followed your tutorial link on VPN policies, and now the VPN works over the second subnet. I did not realize I had to create the policy on both ends, duh! Thanks for that.
Related Content
NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!