Hello community! Hoping I can get some guidance here. We've got two buildings that are currently connected via a wireless bridge and two MX84s. Each wireless bridge is connected to Port 4 on the MX84s. Each MX has VLAN2 assigned to Port 4 (with all VLANs allowed) and a static route to force traffic for each building's subnet out of Port 4. There is also a static route on building 2's MX84 that directs VPN client traffic back to building 1's MX84.


Now, we were hoping to configure a WAN VPN tunnel between the two buildings as well. In that scenario the wireless bridge would be the primary connection and if it goes down we're hoping the connection would fall back to the WAN VPN tunnel. When attempting to bring building 2 up as a Spoke in a Site-to-Site VPN configuration with building 1 we receive an error stating the configuration could not be saved due to overlapping and conflicting subnets but if we set all of the subnets not to Use VPN on building 2's MX84 wouldn't that mean that in a failover situation the WAN VPN tunnel would come up but no traffic would pass between the buildings?


We're happy to call support but thought maybe we'd try the community first. Thanks for any advice!

I like this question 🙂


You can do a trick by breaking down the subnet of the distention MXs in more specific subnets, like to be and in this case the error will be just a warning and you will be able to save it and then have it prefered of the VPN traffic because the order of operation on the MX will take Static route over VPN route.


You want to use this configuration (based on tracked routes):



Hint 1: Change your current static routes to only be active while the next hop responds to ping for the WiFi bridge link.  Your static routes will then be used in preference and will fail over to VPN if the next hop stops responding.

Hint 2: Make sure you are using AutoVPN (so at least one end needs to be a hub).

