NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

T-Support's avatar
T-Support
Aspirant
Oct 26, 2015
Solved

SRX5308 Multi-homing working strangely

Hello,

 

I have an SRX5308 configured to be the gateway for our local network. DHCP is disabled on the Netgear firewall, and is taken care of by a Windows Server 2012 R2 domain controller instead.

 

Recently, we've run into an issue where we are running out of IP addresses. I decided to solve this problem by creating a Superscope on the local DHCP server.

 

Scope 1 (original): 10.1.50.x

Subnet: 255.255.255.0

Gateway (SRX5308): 10.1.50.254

 

Scope 2 (new scope): 10.1.60.x

Subnet: 255.255.255.0

Gateway (SRX5308): 10.1.60.254 (added as a secondary IP via LAN Multi-homing)

 

Scope 3 (remote scope in a remote location, connected via IPSec VPN): 10.1.51.x

Subnet: 255.255.255.0

Gateway (FVS336GV2): 10.1.51.254

 

If I am leased out an IP address on the original scope of 10.1.50.x, I have no issues. I can connect to the internet, and I can reach any server (including remote servers over the IPSec VPN).

 

If I am leased out an IP address on the new secondary scope of 10.1.60.x, I have random issues. Although I can connect to the internet, and I can reach SOME of the servers on the 10.1.50.x scope... I can't reach all of them. For example, I cannot reach 10.1.50.20 (an ESXi host), but I can reach 10.1.50.5 (the DHCP domain controller). I can ping both gateways (10.1.50.254 and 10.1.60.254), but I cannot ping or reach any of the servers in the remote location (10.1.51.x). One user reported to me that he could not connect to one of his client sites via VPN if he was on the 10.1.60.x scope.

 

What's going on here? There are no firewall rules on either side to only allow a specific scope to reach specific servers.

  • Hi T-Support,

     

    Welcome to the community! :smileyhappy:

     

    Would you kindly consider redesigning your existing network?  If yes, then I would recommend using VLANs instead of Multi-homing.  It is because enabling routing between VLANs is possible.  Then, on the IPSec VPN setup, it will be necessary to add a VPN policy for the extra subnet as per this link

     

     

    Regards,

     

    DaneA

    NETGEAR Community Team

10 Replies

  • DaneA's avatar
    DaneA
    NETGEAR Employee Retired

    Hi T-Support,

     

    Welcome to the community! :smileyhappy:

     

    Would you kindly consider redesigning your existing network?  If yes, then I would recommend using VLANs instead of Multi-homing.  It is because enabling routing between VLANs is possible.  Then, on the IPSec VPN setup, it will be necessary to add a VPN policy for the extra subnet as per this link

     

     

    Regards,

     

    DaneA

    NETGEAR Community Team

    • T-Support's avatar
      T-Support
      Aspirant

      Hello Dane,

       

      Thanks for your reply. What do you mean by "redesigning my exisiting network?"

       

      Edit: if I were to redesign it by your suggestion, how would it be configured?

    • T-Support's avatar
      T-Support
      Aspirant

      Update: I followed your tutorial link on VPN policies, and now the VPN works over the second subnet. I did not realize I had to create the policy on both ends, duh! Thanks for that.

      • DaneA's avatar
        DaneA
        NETGEAR Employee Retired

        Hi T-Support,

         

        I am glad that the VPN works over the 2nd subnet.  :smileyhappy: Welcome!

         

         

        Cheers,

         

        DaneA

        NETGEAR Community Team

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More