topic Secondary public IP on Wan interface in Firewall and Security Management

Secondary public IP on Wan interface

IceCheck — Mon, 28 Nov 2022 14:38:23 GMT

Dear All,

We are using ClusterXL configuration with 3600 in R80.40.

Currently our provider is giving us two IPs subnet. The default one is /30 and the second one is /29

I did not find how to add a secondary IP on the Wan interface . Could you please tell me if is it possible to do it directly on the firewall?

Or do we need to use a L3 switch between ISP router and Firewall ? Ideally we have to use switch due to the cluster config but want to have L2 only.

After that same question if we are using two ISPs , will it be possible to have on both secondary IPs ?

Thanks in advance

Re: Secondary public IP on Wan interface

PhoneBoy — Tue, 29 Nov 2022 01:06:02 GMT

You cannot use a secondary IPs/LANs with ClusterXL--this is not supported.
The correct way to do this is to have your /29 routed to your cluster IP by the ISP router.
You can either use the /29 for NAT rules OR you can assign it to a physical interface (different from WAN).
If you're using clustering, assume L3 (Switches) are required on all connected interfaces.

In the case of sharing the /29 you got from one ISP with another...not possible.

Re: Secondary public IP on Wan interface

IceCheck — Tue, 29 Nov 2022 09:39:35 GMT

Thank you for your message and explanation.

Effectively due to clustering we are using Swicthes, ideally L2 but due to this configuration L3.

This feature is not supported for all devices and all version ? Or is it specific to this version and device ?

Thanks

Re: Secondary public IP on Wan interface

Chris_Atkinson — Tue, 29 Nov 2022 09:48:08 GMT

As PhoneBoy said above it's not the recommend way to do it regardless.

If your ISP cannot route the network towards your Firewalls existing WAN IP (VIP) than you may need to consider dynamic routing to advertise it.

Re: Secondary public IP on Wan interface

PhoneBoy — Tue, 29 Nov 2022 14:25:18 GMT

Using multiple IPs on a ClusterXL interface? Not supported on any version.

Re: Secondary public IP on Wan interface

Bob_Zimmerman — Tue, 29 Nov 2022 15:56:29 GMT

Multiple ISPs should be handled with multiple separate external interfaces. These can be tagged subinterfaces of a physical interface, or they can be multiple physical interfaces. You would then configure ISP Redundancy in the cluster object.

As for multiple public blocks from one ISP, how is that supposed to work? Are both of these networks on a single broadcast domain?

If they're both on one broadcast domain and you don't need the firewall itself to initiate new connections out from one of the IPs, you can always just add a proxy ARP statement for it. That will get the traffic from the broadcast domain to the firewall, where you can apply NAT or whatever.