Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 9834 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple subnets on a single WAN interface and outgoing NAT

EddyMinet

I have 2 public subnets on a WAN interface, say 1.1.1.0/29 and 2.2.2.0/29.

I configured the first one as the primary address 1.1.1.2/29 and gateway 1.1.1.1.

I configured an alias on the port with address 2.2.2.2/29

In a firewall rule, LAN to WAN I want to use the 2.2.2.2 address. The problem is that I actually only have one WAN Gateway for the port. In the firewall rule UI if I try to configure an new 'Gateway Host' to set the primary gateway as '2.2.2.1' I get the following error : "Interface IP and gateway IP address must be in the same network". 

The problem is that in the port list I only have the port with '1.1.1.2' address, I cannot select the alias port (Portname:0).

Is there a workaround ?



This thread was automatically locked due to age.
Parents
  • 0

    I tried this config first because it was configured as it on the previous (replaced) device (Zyxel Zywall) and it worked great.

    Here is the result of my tests :

    - You can put an alias address in different subnet/mask

    - When doing that, you can access from outside to the device on this address

    - You can use a translation with an ip in the alias subnet to send packets out

    BUT if you do that, the primary adress will stop working, the ping test in the gateway will put it down and make the gateway unusable.

    So, since I am on a virtual appliance and also the ISP, I configured a second test :

    - I put the 2 subnetsin differents interfaces on the same vlan

    BUT if you do that and make a translation on the wrong interface, and due to load balancing, you can have a packet going out with wrong ip address on the wrong interface and you come to the same that first test.

    So, the only solution for me was to put the 2 subnet in to differents interfaces in 2 differents vlans.

    I admit that this case is particular.

Reply
  • 0

    I tried this config first because it was configured as it on the previous (replaced) device (Zyxel Zywall) and it worked great.

    Here is the result of my tests :

    - You can put an alias address in different subnet/mask

    - When doing that, you can access from outside to the device on this address

    - You can use a translation with an ip in the alias subnet to send packets out

    BUT if you do that, the primary adress will stop working, the ping test in the gateway will put it down and make the gateway unusable.

    So, since I am on a virtual appliance and also the ISP, I configured a second test :

    - I put the 2 subnetsin differents interfaces on the same vlan

    BUT if you do that and make a translation on the wrong interface, and due to load balancing, you can have a packet going out with wrong ip address on the wrong interface and you come to the same that first test.

    So, the only solution for me was to put the 2 subnet in to differents interfaces in 2 differents vlans.

    I admit that this case is particular.

Children
No Data