Additional IP's

You should never have two NICS for the same device on the same subnet, unless you are doing NIC Teaming (Link Aggregation Groups).

Here is my understanding of why it is does not work:

• Assume router has address a.b.c.1 and UTM has addresses a.b.c.2 (on interface A2) and a.b.c.3 (on interface A3)
• The TCP/IP stack is layered -- at an upper level, the packet is created with a sender address of a.b.c.2
• When the packet reaches the routing layer, the router is only looking for a path to the next hop (a.b.c.1).   It picks one of the two NICs without trying to match the source address on the packet to the listen address associated with the NIC.   Sometimes it picks wrong.
• When other network devices see that a packet with source address a.b.c.3 came from interface A2, they all update their routing tables to send all future packets to the MAC address for A2.
• When they try to use that new MAC address, the packet is rejected, so the sending device has to send a new ARP request, from which it learns that the packet so be sent to the MAC address for A3.   This repeats and is called "ARP flapping"
• Better network equipment will detect "ARP flapping", go into threat evasion mode, and block traffic from both NICs.   Less intelligent devices will simply have lousy performance.

With Windows, it is even worse, I think because there are problems with LAN-level protocols as well.   I have some unhappy experience here, and have read Microsoft's warnings not to do it.

With UTM, there may be some ways to limit the damage, by tying certain routes to certain interfaces, but I think it will be difficult to get implemented and even more difficult to sustain.   

 I believe the options are:

• Use a 1Gbps NIC until it is saturated, then upgrade to a 10Gbps fiber connection if you need more capacity.
• Use a 1Gbps NIC until it is saturated, then add a second NIC with NIC teaming.
• Use a 1Gbps NIC until it is saturated, then add a second NIC on a different subnet, and use uplink balancing.

Just to clarify then with some ficticious addresses on UTM

eth0 = 81.81.81.1/28  <<< connects to ISP and has 13 additional addresses added to the the UTM. No authentication etc

What is wrong with:

eth0 = 81.81.81.1/29
eth1 = 81.81.81.10/32
eth2 = 81.81.81.11/32

I'm trying to seperate the additional IP's into physical interfaces so I can specify the IPSec listening interface rather than just be presented with eth0

It's now got me wondering whether I should change to 3x  /29 rather than 1x /28

Just to clarify then with some ficticious addresses on UTM

eth0 = 81.81.81.1/28  <<< connects to ISP and has 13 additional addresses added to the the UTM. No authentication etc

What is wrong with:

eth0 = 81.81.81.1/29
eth1 = 81.81.81.10/32
eth2 = 81.81.81.11/32

I'm trying to seperate the additional IP's into physical interfaces so I can specify the IPSec listening interface rather than just be presented with eth0

It's now got me wondering whether I should change to 3x  /29 rather than 1x /28

Hi Louis-M 

This should work. As long as you're not conflicting IP ranges on the Interfaces, you can continue. Once you specify a Gateway IP, that will be treated as a WAN interface by UTM and you should have it available for selection in IPSec configuration. That should allow you to increase the throughput of a connection(given that Bandwidth is provided by ISP).

I think you will still have trouble because there is outbound routing ambiguity - any of the three interfaces can be used successfully for reaching the ISP router.   Testing will certainly resolve the issue.  Hope it works for you.

Doug, the reason for that line in Rulz #3.1 is that WebAdmin doesn't know how to create routes when the Ethernet segments have overlapping subnets.  In this case, if he uses /32 on each additional Interface, WebAdmin will be fine.  Unlike most other routers, the config daemon knows how to build routing rules to get traffic to a default gateway that's outside the subnet defined on the interface.

Cheers - Bob